b'AUDIT OF THE DEPARTMENT OF JUSTICE\xe2\x80\x99S \n\n IMPLEMENTATION OF AND COMPLIANCE \n\n    WITH CERTAIN CLASSIFICATION \n\n           REQUIREMENTS\n\n\n         U.S. Department of Justice \n\n       Office of the Inspector General \n\n                Audit Division \n\n\n             Audit Report 13-40 \n\n              September 2013\n\n\x0c\x0c       AUDIT OF THE DEPARTMENT OF JUSTICE\xe2\x80\x99S \n\n  IMPLEMENTATION OF AND COMPLIANCE WITH CERTAIN \n\n          CLASSIFICATION REQUIREMENTS \n\n\n                               EXECUTIVE SUMMARY\n\n\n       In 2010, Congress passed Public Law 111-258, the Reducing\nOver-Classification Act (Act), which, among other things, directed the\nInspector General of certain federal agencies, including the Department of\nJustice (DOJ), to: (1) assess whether applicable classification policies,\nprocedures, rules, and regulations have been adopted, followed, and are\neffectively administered within such department, agency, or component; and\n(2) identify policies, procedures, rules, regulations, or management practices\nthat may be contributing to persistent misclassification of material within\nsuch department, agency, or component. The Act requires the evaluation to\nbe completed by September 30, 2013. A second evaluation required by the\nAct, which is due by September 30, 2016, will review DOJ\xe2\x80\x99s progress in\nimplementing the recommendations of this audit.\n\nBackground\n\n      The appropriate classification of information is critical to the\ngovernment\xe2\x80\x99s efforts to ensure national security. However, the\n9/11 Commission, Congress, and the White House have recognized that\nover-classification of information interferes with accurate and actionable\ninformation sharing, increases the cost of information security, and\nneedlessly limits stakeholder and public access to information.1\n\n       When information is identified as posing a risk to national security, an\nofficial with \xe2\x80\x9cOriginal Classification Authority\xe2\x80\x9d (OCA) designates the\ninformation as classified, known as an original classification decision.2 OCA\nofficials convey their classification decisions by marking the original\ndocument (or source document) or, more often, by capturing the\n\n       1\n          The National Archives and Records Administration\xe2\x80\x99s (NARA) Information Security\nOversight Office developed the working definition of \xe2\x80\x9cover-classification\xe2\x80\x9d as the designation\nof information as classified when the information does not meet one or more of the\nstandards for classification under section 1.1 of Executive Order (EO) 13526. In other\nwords, over-classification is either treating unclassified information as if it were classified, or\nclassifying information at a higher level of classification than is appropriate.\n       2\n          According to EO 13526, original classification authority is delegated by the\nPresident and the Vice President and can be further delegated by an agency head or certain\nother officials designated with original classification authority.\n\n\n\n                                                 i\n\x0cclassification decision in a security classification guide. Once an OCA official\nclassifies information, that information may be paraphrased, extracted, or\nsummarized, which is known as a derivative classification decision. A\nderivative classifier must observe and respect the original classification\ndecision and carry forward to any newly created document the pertinent\nclassification markings from the source document(s) or the security\nclassification guide.\n\n       Within DOJ, the Security and Emergency Planning Staff (SEPS) is\nresponsible for implementing DOJ\xe2\x80\x99s classification management program and\nensuring DOJ\xe2\x80\x99s organizational compliance with classified national security\ninformation laws, regulations, directives, and other guidance, as\nappropriate.3 In addition, the Federal Bureau of Investigation\xe2\x80\x99s (FBI)\nNational Security Branch and the Drug Enforcement Administration\xe2\x80\x99s (DEA)\nOffice of National Security Intelligence are members of the Intelligence\nCommunity and as such also are subject to the classification policies\nestablished by the Office of the Director of National Intelligence (ODNI).\nFinally, DOJ is required to establish and implement uniform security polices\nand operational procedures for the classification, safeguarding, and\ndeclassification of national security information.\n\nResults in Brief\n\n      We found that DOJ has established classification policies and\nprocedures, but has not effectively administered those policies and\nprocedures to ensure that information is classified and disseminated\nappropriately. Although our review of a small sample of classified\ndocuments created during fiscal year (FY) 2012 did not find indications of\nwidespread misclassification, we did identify deficiencies with the\nimplementation of DOJ\xe2\x80\x99s classification program, including persistent\nmisunderstanding and lack of knowledge of certain classification processes\nby officials within DOJ components.\n\n       Based on these findings, we believe that the types of discrepancies we\nidentified and the causes of those discrepancies indicate that DOJ is\nsusceptible to misclassification.\n\n       Specifically, we found several documents in which unclassified\ninformation was inappropriately identified as being classified. We also\nidentified many documents that either did not contain required classification\nmarkings or contained incorrect classification markings. Some of these\n\n      3\n          SEPS is a component of DOJ\xe2\x80\x99s Justice Management Division.\n\n\n\n                                            ii\n\x0cmarking errors included missing, incomplete, or incorrect classification\nblocks, source references, portion markings, dissemination markings, and\ndeclassification instructions. DOJ component officials generally agreed with\nour findings that some information in certain documents should not have\nbeen classified and that the markings on many documents were not\naccurate.\n\n      In addition, we found that the National Security Division, Criminal\nDivision, and the DEA incorrectly categorized many decisions to classify\ninformation as \xe2\x80\x9coriginal\xe2\x80\x9d classification decisions when these decisions\nactually were derivative classification decisions, as the classified information\nin the documents had been classified previously. The risk inherent in this\npractice is that individuals who inappropriately apply original decisions could\napply these decisions inconsistently for the same types of information and\ninformation that should be treated similarly will be classified differently\nacross programs. Also, this practice could result in classifiers believing that\nthey could establish the classification levels, dissemination controls, or\ndeclassification dates of their choosing rather than the ones previously\nestablished by the actual original classification decision.\n\n       We found several factors that we believe contributed to DOJ\ncomponents incorrectly classifying and marking documents, including\nweaknesses in DOJ\xe2\x80\x99s implementation classification standards, the limited\ndistribution of automated tools designed to improve the classification and\nmarking processes, and weaknesses in the application of security education\nand training programs.\n\n       Ensuring that information is classified and marked appropriately falls\nwithin SEPS\xe2\x80\x99s responsibilities for developing and managing DOJ policy for\nclassified national security information. With nearly 60,000 personnel\nauthorized to access and derivatively classify national security information,\nSEPS\xe2\x80\x99s responsibilities are significant. SEPS has developed oversight and\nreview processes for classified national security information, as directed by\nEO 13526, which prescribes a uniform system for classifying, safeguarding,\nand declassifying national security information. But SEPS has encountered\nproblems executing and overseeing those procedures, in part because of\ninsufficient resources devoted to these responsibilities and weaknesses in\ninfrastructure, training, and controls throughout DOJ.\n\n      To help improve DOJ\xe2\x80\x99s classification management program and\nimplementation of classification procedures, we made 14 recommendations\nto SEPS. These recommendations include determining the classified\ninfrastructure enhancements that are needed to successfully use and share\nappropriate types of classified information; enhancing DOJ\xe2\x80\x99s classification\n\n\n                                       iii\n\x0ctraining programs to ensure that all personnel are aware of policies,\nprocedures, and requirements for classifying national security information;\nand improving oversight practices to ensure that all DOJ components are\nreporting accurate information in classification-related reports and are in\ncompliance with all regulatory requirements.\n\n\n\n\n                                     iv\n\x0c                   AUDIT OF THE DEPARTMENT OF JUSTICE\xe2\x80\x99S \n\n              IMPLEMENTATION OF AND COMPLIANCE WITH CERTAIN \n\n                      CLASSIFICATION REQUIREMENTS \n\n\n\n                                        TABLE OF CONTENTS\nINTRODUCTION .......................................................................................... 1\n\n      Classified Information ...................................................................... 2 \n\n      The Classification Process ................................................................. 3 \n\n      Classification Marking Requirements .................................................... 5 \n\n      DOJ\xe2\x80\x99s Classification Structure ............................................................ 9 \n\n      Prior Audits and Reviews .................................................................. 9 \n\n      OIG Audit Approach ...................................................................... 11 \n\nFINDINGS AND RECOMMENDATIONS........................................................ 13\n\nI. DOJ CLASSIFICATION POLICIES, PROCESSES, AND PRACTICES .......... 13\n\n      DOJ Original and Derivative Classifiers ............................................... 13 \n\n      DOJ Security Classification Guides .................................................... 15 \n\n      DOJ\xe2\x80\x99s FY 2012 Classification Decisions ............................................... 22 \n\n      Factors Contributing to Classification Deficiencies ................................. 33 \n\n      Classification of Otherwise Unclassified Information .............................. 42 \n\n      Recommendations ........................................................................ 43 \n\nII. DOJ CLASSIFICATION OVERSIGHT AND MANAGEMENT........................ 45\n\n      SEPS Classification Management and Oversight .................................... 45 \n\n      Special Access Programs ................................................................ 46 \n\n      Classification Program Reporting Requirements .................................... 47 \n\n      Self-Inspections ........................................................................... 48 \n\n      Oversight of Compromised Classified Information ................................. 49 \n\n      DOJ Implementation of Regulatory Requirements ................................. 50 \n\n      Recommendations ........................................................................ 51 \n\nSTATEMENT ON INTERNAL CONTROLS...................................................... 52\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS ................ 53\n\nAPPENDIX I: AUDIT OBJECTIVES, SCOPE, AND METHODOLOGY .............. 55\n\nAPPENDIX II: CLASSIFIED DOCUMENT MARKING REQUIREMENTS .......... 61\n\nAPPENDIX III: JUSTICE MANAGEMENT DIVISION\xe2\x80\x99S RESPONSE TO THE \n\n              DRAFT REPORT ................................................................ 62\n\nAPPENDIX IV: OFFICE OF THE INSPECTOR GENERAL ANALYSIS AND \n\n             SUMMARY OF ACTIONS NECESSARY TO CLOSE THE \n\n             REPORT ............................................................................ 69\n\n\x0cThis page intentionally left blank\n\x0c                                  INTRODUCTION\n\n       The appropriate classification of information is critical to the\ngovernment\xe2\x80\x99s efforts to ensure national security. However, the\n9/11 Commission, Congress, and the White House have recognized that the\nover-classification of information interferes with accurate and actionable\ninformation sharing, increases the cost of information security, and\nneedlessly limits stakeholder and public access to information.4 In 2010,\nCongress passed Public Law 111-258, the Reducing Over-Classification Act,\nrequiring federal agencies that classify information to implement programs\nthat enforce compliance with applicable laws, executive orders, and other\nauthorities pertaining to the proper classification of information and use of\nclassification markings.\n\n       Executive Order (EO) 13526, which is referred to in the Reducing\nOver-Classification Act, prescribes a uniform system for classifying,\nsafeguarding, and declassifying national security information.5 The National\nArchives and Records Administration\xe2\x80\x99s (NARA) Information Security\nOversight Office is responsible for issuing directives for implementing\nEO 13526 to all government agencies that come into possession of classified\ninformation.6 In turn, DOJ is required to establish and implement uniform\nsecurity polices and operations procedures for the classification,\nsafeguarding, and declassification of national security information within the\nDepartment. In addition, the Office of the Director of National\nIntelligence (ODNI) is responsible for issuing implementation directives to\nthe Intelligence Community related to the protection of intelligence sources,\nmethods, and activities.7 Within the Department of Justice (DOJ), the\nFederal Bureau of Investigation\xe2\x80\x99s (FBI) National Security Branch and the\nDrug Enforcement Administration\xe2\x80\x99s (DEA) Office of National Security\nIntelligence are members of the Intelligence Community and therefore must\n\n       4\n          The National Archives and Records Administration\xe2\x80\x99s (NARA) Information Security\nOversight Office developed the working definition of \xe2\x80\x9cover-classification\xe2\x80\x9d as the designation\nof information as classified when the information does not meet one or more of the\nstandards for classification under section 1.1 of EO 13526. In other words,\nover-classification is either treating unclassified information as if it were classified, or\nclassifying it at a higher level of classification than is appropriate.\n       5\n           EO 13526, Classified National Security Information, December 29, 2009.\n       6\n        These directives are identified in the Federal Register as 32 CFR Part 2001 and\n2003 Part V Classified National Security Information; Final Rule, June 28, 2010.\n       7\n       ODNI issues Intelligence Community policies and directives to the Intelligence\nCommunity through the Intelligence Community Policy System as designated by EO 12333.\n\n\n                                              1\n\n\x0cabide by ODNI guidelines and directives in addition to those promulgated by\nDOJ.\n\nClassified Information\n\n       EO 13526 mandates that information should be considered for\nclassification when its unauthorized disclosure could reasonably be expected\nto cause identifiable damage to national security.8 Such national security\ninformation may be classified as Top Secret, Secret, or Confidential, as\nshown in Exhibit I-1.9 EO 13526 specifies that if significant doubt exists\nabout what level information should be classified at, the information should\nbe classified at the lower level.\n\n\n\n\n       8\n          Classified information is not the only information that is shielded from the public.\nFor instance, unclassified information that is law enforcement sensitive, information that is\nsubject to executive, deliberative, or attorney-client privilege, and personally identifiable\ninformation, may all be withheld from the public under appropriate circumstances.\n       9\n           Classified information also may be identified as Sensitive Compartmented\nInformation (SCI). SCI is also referred to as "codeword" information. SCI is not a\nclassification level, but rather a requirement for formal access controls. SCI refers to\ninformation associated with certain intelligence sources, methods, or analytical processes.\nThe sensitivity of SCI requires that it be protected in a much more controlled environment\nthan other classified information and requires handling exclusively within formal access\ncontrol systems.\n\n\n                                               2\n\n\x0c                                        EXHIBIT I-1 \n\n                            CLASSIFICATION LEVELS \n\n                                   AND THE \n\n                         ASSOCIATED DEGREE OF DAMAGE \n\n\n                                 Top Secret \xe2\x80\x93 Unauthorized\n                                 disclosure could cause\n                                 exceptionally grave damage to\n                                 national security.\n\n\n\n                                 Secret - Unauthorized disclosure\n                                 could cause serious damage to\n                                 national security.\n\n\n\n\n                                 Confidential - Unauthorized\n                                 disclosure could cause damage to\n                                 national security.\n\n               Source: Executive Order 13526\n\nThe Classification Process\n\n       When information is first identified as posing a risk to national security\nif disclosed without authorization, an official with \xe2\x80\x9cOriginal Classification\nAuthority\xe2\x80\x9d (OCA) designates the information as classified.10 This initial\ndesignation is referred to as the \xe2\x80\x9coriginal classification decision.\xe2\x80\x9d The\noriginal classification decision must include a justification for why the\ninformation needs to be classified based on eight categories prescribed in\nEO 13526, the potential damage to national security, and the date the\n\n\n\n\n      10\n           According to EO 13526, original classification authority is delegated by the\nPresident and the Vice President and can be further delegated by an agency head or certain\nother officials designated with original classification authority.\n\n\n                                            3\n\n\x0cinformation shall be declassified.11 OCA officials convey their original\nclassification decisions either by marking the original document, or, more\noften, by including their decision in a \xe2\x80\x9csecurity classification guide\xe2\x80\x9d that can\nbe used to assist in future decisions about whether to classify information in\nother documents.\n\n       Once an OCA official classifies specific information or issues a security\nclassification guide identifying information categories and the appropriate\nclassification levels, the information may be used by others in a derivative\nform, such as through paraphrasing, direct quotation, or summarization.\nWhen classified information is used in this manner by others after the initial\ndesignation, it also requires classification, and the information receives what\nis referred to as a \xe2\x80\x9cderivative classification decision.\xe2\x80\x9d When making a\nderivative classification decision, the derivative classifier must observe and\nrespect the original classification decision and carry forward to any newly\ncreated document the pertinent classification markings from the source\ndocument or the security classification guide.\n\n       Derivative classifiers are responsible for ensuring that the information\nin the documents they produce is appropriately classified and properly\nmarked. Any individual with a current security clearance has the authority\nto make derivative classification decisions in conjunction with their\nperformance of their official duties. Exhibit I-2 provides an overview of the\nclassification process.\n\n\n\n\n       11\n           Section 1.4 of EO 13526 prescribes the following eight categories for classified\nnational security information: (a) military plans, weapons systems, or operations;\n(b) foreign government information; (c) intelligence activities (including covert action),\nintelligence sources or methods, or cryptology; (d) foreign relations or foreign activities of\nthe U.S., including confidential sources; (e) scientific, technological, or economic matters\nrelating to the national security; (f) U.S. government programs for safeguarding nuclear\nmaterials or facilities; (g) vulnerabilities or capabilities of systems, installations,\ninfrastructures, projects, plans, or protection services relating to the national security; and\n(h) the development, production, or use of weapons of mass destruction.\n\n\n                                               4\n\n\x0c                                    EXHIBIT I-2 \n\n              OVERVIEW OF THE CLASSIFICATION PROCESS\n\n\n\n\n\nSource: Office of the Inspector General (OIG) Analysis of DOJ Documentation\n\nClassification Marking Requirements\n\n     A critical part of any uniform classification management program is to\nensure that standard markings or other indicia be applied to classified\n\n                                           5\n\n\x0cinformation to identify the level of classification. In addition, federal\nagencies have a system of restrictive caveats and associated dissemination\ncontrol and handling markings that can be added to a document. These\nmarkings, which are defined in classification marking guides, provide\ninstruction on how to control and handle the dissemination of classified\ninformation. For instance, control markings might indicate that information\nmay not be disseminated to a non-U.S. person and should include the\nmarking, Not Releasable to Foreign Nationals (NOFORN).\n\n       To help standardize the marking of classified information throughout\nthe U.S. government, NARA\xe2\x80\x99s Information Security Oversight Office has\nissued classification guidance and a booklet containing instructions for\nmarking classified national security information. The NARA Information\nSecurity Oversight Office\xe2\x80\x99s Marking Classified National Security Information\nbooklet is the baseline marking system that federal agencies are required to\nuse to mark classified information. The booklet briefly describes how\nclassified documents should be marked, although it also acknowledges that\nits guidance cannot anticipate every conceivable situation.\n\n       To supplement the Information Security Oversight Office\xe2\x80\x99s Marking\nClassified National Security Information booklet, ODNI established the\nIntelligence Community Authorized Classification and Control Marking\nManual (Manual) through its Controlled Access Program Coordination Office\n(CAPCO). The CAPCO Manual, which is longer and more detailed than the\nInformation Security Oversight Office\xe2\x80\x99s Marking Classified National Security\nInformation booklet, prescribes a standard set of markings to be applied to\nclassified documents and information created within the Intelligence\nCommunity, including agency-specific markings. In addition to classification\nmarkings, the CAPCO Manual includes instructions for the Intelligence\nCommunity on using markings to communicate the nature of the\ninformation, as well as dissemination control markings that indicate how and\nwith whom the information should be shared. Unlike the Information\nSecurity Oversight Office\xe2\x80\x99s Marking Classified National Security Information\nbooklet, which applies to all federal agencies, the CAPCO Manual only applies\nto members of the Intelligence Community and agencies that have an\nestablished written agreement with the Intelligence Community. Inside of\nDOJ, the CAPCO Manual only applies to those sections of DEA and FBI that\nare recognized members of the Intelligence Community.\n\n       Original and derivative classifiers are required to refer to these\nclassification marking guides to ensure that national security information is\nappropriately marked, which in turn helps ensure the proper dissemination\nand protection of classified information. The following exhibit identifies the\nprimary classification and control markings that should be identified on all\n\n                                       6\n\n\x0cclassified documents.12 These classification marking requirements are for all\nclassified information whether it is in a hard copy document, an e-mail, or\nanother electronic form.\n\n\n\n\n     12\n          Appendix II provides a sample document that displays these required markings.\n\n\n                                            7\n\n\x0c                                       EXHIBIT I-3 \n\n                   Classified Document Marking Requirements\n\n    Marking\n                        Original Classification           Derivative Classification\n  Requirement\n  Overall           The overall classification level must be included in a banner at the\n  Classification    top and bottom of every classified document and indicate the\n  Marking           highest level of classification within any portion of the document.\n\n  Classification    Classified By: Identifies the       Classified By: Identifies the\n  Block             Original Classification Authority   derivative classifier by name and\n                    by name and position or personal    position or by personal identifier\n                    identifier, and the agency and      and the derivative classifier\xe2\x80\x99s\n                    office of origin.                   agency and office.\n\n                    Reason: Identifies at least one     Derived From: Lists the source\n                    of eight categories of classified   document(s) or the security\n                    information from EO 13526           classification guide relied upon\n                    1.4(a-h)                            for the classification, and the\n                                                        agency or office and date of the\n                                                        source or guide.\n\n                    Declassify On: Lists date or        Declassify On: Must carry\n                    event by which classified           forward the declassification\n                    information can be declassified.    instruction from the source\n                                                        document(s) or classification\n                                                        guide.\n\n  Portion           All portions of the document        All portions of the document\n  Markings13        must be separately and properly     must be separately and properly\n                    marked with the classification of   marked with the classification\n                    that portion. The portion           carried over from the source\n                    marking precedes the portion to     document(s) or security\n                    which it applies.                   classification guide(s) to the\n                                                        derivatively classified document.\n                                                        The portion marking precedes\n                                                        the portion to which it applies.\n\n                                  Additional Markings\n  Dissemination     Dissemination control markings are used to indicate restrictions on\n  Control           who may have access to the information. If dissemination control\n  Markings          markings are necessary, they must be included in the overall\n  (if necessary)    marking of the document and within each portion to which they\n                    apply. The Intelligence Community requires its member agencies to\n                    include dissemination control markings on all pieces of information.\n\n    Source: OIG Analysis of DOJ Documentation\n\n\n       13\n          Portions may include sections, parts, paragraphs, sub-paragraphs, subjects, titles,\ngraphics, tables, and bullets within a document.\n\n\n                                              8\n\x0cDOJ\xe2\x80\x99s Classification Structure\n\n       Federal government organizations that create or hold classified\ninformation are responsible for its proper management. Classification\nmanagement includes various activities, such as developing classification\nguides, conducting comprehensive mandatory training for classifiers, and\nimplementing a robust self-inspection program. Within DOJ, the Director of\nthe Security and Emergency Planning Staff (SEPS) in DOJ\xe2\x80\x99s Justice\nManagement Division is the designated Department Security Officer. SEPS\nis responsible for implementing DOJ\xe2\x80\x99s classification management program\nand ensuring DOJ\xe2\x80\x99s organizational compliance with classification\nrequirements pursuant to national security information laws, regulations,\ndirectives, and other guidance from NARA\xe2\x80\x99s Information Security Oversight\nOffice and ODNI, as appropriate. SEPS established the Security Program\nOperating Manual (SPOM), which prescribes uniform security policies and\noperating procedures for the protection of classified national security\ninformation within DOJ.\n\n       SEPS relies on a Security Programs Manager in each DOJ component\nto implement and manage security policies and procedures within the\ncomponent, including policies and procedures relating to the classification\nand security of national security information. Security Programs Managers\nare accountable to the Department Security Officer for matters related to the\nmanagement and coordination of all security programs and plans within their\nrespective organizations. In general, Security Programs Managers are\nresponsible for administering education and training programs, overseeing\nphysical and classification security procedures, supervising annual\nself-inspections, initiating risk assessments, coordinating security clearances\nfor personnel, and reporting and resolving security violations for their\nrespective agencies. The Security Programs Managers are the security\nexperts for DOJ components and serve as the first line of reference for\npersonnel who have questions related to the classification and security of\nnational security information.\n\nPrior Audits and Reviews\n\n      In 2004 and 2006, NARA\xe2\x80\x99s Information Security Oversight Office\nconducted on-site inspections of DOJ classification and security practices and\nfound that improvements were needed in program management and\norganization, security education and training, classification guidance,\ntracking security violations, self-inspections, and the marking of classified\ndocuments. NARA\xe2\x80\x99s Information Security Oversight Office determined that\nDOJ needed to take corrective action to improve essential classification and\nsecurity policies and procedures, including increasing resources to oversee\n\n                                      9\n\n\x0cDOJ\xe2\x80\x99s classified national security information program. In addition, NARA\xe2\x80\x99s\nInformation Security Oversight Office conducted reviews of the DEA and FBI\nclassification programs in 2006 and 2009, respectively. These reviews\nidentified classified document discrepancies, including over-classified\ninformation, missing or improper portion markings, improper use of original\nclassification authority, incorrect declassification instructions, and\ninformation not properly referenced to source documents.\n\n       In 2006, the Government Accountability Office (GAO) also reviewed\nDOJ\xe2\x80\x99s management of classified information.14 This review included an\nassessment of DOJ\xe2\x80\x99s implementation of NARA\xe2\x80\x99s Information Security\nOversight Office on-site inspection recommendations. GAO reported that\nDOJ did not know the optimum number of staff it needed for its classification\nprogram because it had not assessed its needs and did not have a strategy\nto identify how it would use additional resources to address classification\nprogram deficiencies. GAO found that, as a result of these resource issues,\nDOJ had not fully implemented various recommendations from NARA\xe2\x80\x99s\nInformation Security Oversight Office and DOJ\xe2\x80\x99s ability to oversee\nclassification practices across components was insufficient.\n\n       The Office of the Inspector General (OIG) reviewed personnel security\nprocesses throughout DOJ and issued reports in September 2012 and\nMarch 2013 that included recommendations to increase resources devoted to\ncertain security program issues.15 These reports found that SEPS did not\nimplement adequate personnel security processes to identify security\nviolations and enforce security policies. Moreover, SEPS issued minimal\nguidance for components to follow in managing their contractor security\nprograms and the guidance does not provide standards for maintaining\naccurate rosters on contract employees or periodic reinvestigations. The\nOIG made a total of 17 recommendations in these 2 reports to improve\nDOJ\xe2\x80\x99s timeliness in processing background investigations and adjudications,\nensure that only individuals with the appropriate clearance level have access\nto sensitive and classified information, and improve DOJ\xe2\x80\x99s management of its\npersonnel security process for contractors. These recommendations\nincluded increasing the amount of SEPS staff dedicated to conducting\n\n       14\n          U.S. Government Accountability Office, Managing Sensitive Information: DOJ\nNeeds a More Complete Staffing Strategy for Managing Classified Information and a Set of\nInternal Controls for Other Sensitive Information. GAO-07-83 (October 2006).\n       15\n          U.S. Department of Justice, Office of the Inspector General (OIG), Department\xe2\x80\x99s\nand Component\xe2\x80\x99s Personnel Security Processes. I-2012-003 (September 2012) and OIG,\nReview of the Department\xe2\x80\x99s Contractor Personnel Security Process. I-2013-003\n(March 2013).\n\n\n                                            10 \n\n\x0csecurity compliance reviews. Although SEPS concurred with this\nrecommendation, at the time of the report SEPS was uncertain when it\nwould be able allocate additional resources to compliance review efforts due\nto the fiscally conservative environment and the current DOJ hiring freeze.\n\nOIG Audit Approach\n\n       Pursuant to Section 6(b) of the Reducing Over-Classification Act, the\nInspector General of any Department with an official with original\nclassification authority, which includes DOJ, must conduct two evaluations\nto: (1) assess whether applicable classification policies, procedures, rules,\nand regulations have been adopted, followed, and are effectively\nadministered within such department, agency, or component; and\n(2) identify policies, procedures, rules, regulations, or management practices\nthat may be contributing to persistent misclassification of material within\nsuch department, agency, or component. The Reducing Over-Classification\nAct requires the first evaluation to be completed by September 30, 2013,\nwhich this audit report satisfies. The second evaluation, which is due by\nSeptember 30, 2016, will review DOJ\xe2\x80\x99s progress implementing the\nrecommendations of this audit.\n\n       Section 6(b) of the Reducing Over-Classification Act also requires\nindividual Inspectors General coordinate to ensure that the evaluations\nfollow a consistent methodology. In accordance with this requirement, the\nODNI Office of the Inspector General and the Department of Defense Office\nof the Inspector General established an Inspectors General Working Group\nto develop a standardized approach for the first evaluation. We participated\nin the Inspectors General Working Group and used the standardized\nevaluation guide during the course of our review. However, the DOJ OIG\xe2\x80\x99s\naudit focused exclusively within DOJ, and we have not conducted any\ncross-agency comparisons of classification policies and practices. We are\ntherefore unable to assess whether different agencies treat the same\ninformation the same way.\n\n      During this audit, we conducted over 100 interviews with officials from\nSEPS, the FBI, the DEA, the Criminal Division, the National Security Division,\nand the United States Marshals Service (USMS).16 In addition, we reviewed\n10 security classification guides and a sample of 141 classified documents\ncreated during fiscal year (FY) 2012 comprised of finished reports,\nmemoranda, legal documents, summary reports, e-mails, case file\ndocuments, Intelligence Information Reports (IIR), and DEA Analysis\n\n      16\n           For more information about our audit scope and methodology, see Appendix I.\n\n\n                                            11 \n\n\x0cReports. During our review, we also reviewed classified information from\nprograms that require special access controls.17\n\n       The results of our review are detailed in Findings I and II. Finding I\nprovides the results of the OIG\xe2\x80\x99s evaluation of DOJ\xe2\x80\x99s classification policies,\nprocesses, and practices, including a review of DOJ\xe2\x80\x99s classified national\nsecurity information decisions and its use of classification management tools.\nFinding II provides our analysis of DOJ\xe2\x80\x99s management and oversight of the\nclassification program, including an overview of DOJ\xe2\x80\x99s implementation of\nstatutory and regulatory requirements.\n\n\n\n\n       17\n          Due to the sensitivity of the classified information related to these programs, the\nresponsible component instituted special access controls, including logging the individuals\nwho are granted access, providing these individuals a \xe2\x80\x9cread-on briefing\xe2\x80\x9d to present\nbackground information on the program, and requiring the individuals to sign a\nnon-disclosure agreement.\n\n\n                                             12 \n\n\x0c                  FINDINGS AND RECOMMENDATIONS \n\n\nI.     DOJ CLASSIFICATION POLICIES, PROCESSES, AND PRACTICES\n\n       DOJ has established classification policies and procedures, but\n       has not effectively administered those policies and procedures to\n       ensure that information is classified and disseminated\n       appropriately. Although our review of a small sample of\n       documents did not find indications of widespread\n       misclassification, we did identify deficiencies with the\n       implementation of DOJ\xe2\x80\x99s classification program, including\n       persistent misunderstanding and lack of knowledge of certain\n       classification processes by officials within various DOJ\n       components. We also found various classification marking errors\n       throughout the classified documents we reviewed. These\n       marking errors stemmed from reliance on historical practices and\n       had been overlooked because of inadequate training and\n       oversight. We believe that DOJ could improve its classification\n       program by enhancing security classification and marking guides\n       to better explain why and how information is classified, and by\n       using existing automated tools to improve classification and\n       marking practices. Moreover, we believe that SEPS should work\n       with component Security Programs Managers to improve\n       personnel training on classification requirements, procedures,\n       and guidance.\n\nDOJ Original and Derivative Classifiers\n\n       The act of original classification requires that an OCA official identify\nthe elements of information regarding a specific subject that must be\nclassified, describe the damage to national security that could reasonably be\nexpected if the information is disclosed, determine how long that information\nneeds to be protected, and document these decisions in a security\nclassification guide or to the original (source) document.18 Derivative\nclassifiers must interpret the OCA guidance from the classification guide or\nfrom various source documents and determine how to mark classified\nproducts they produce.\n\n       Pursuant to EO 13526, the President has delegated original\nclassification authority to the Attorney General, who has further delegated\n       18\n          An element of information is a specific piece of information related to an overall\nsubject area that an OCA official has determined meet the requirements for classification.\n\n\n                                             13 \n\n\x0coriginal classification authority to 63 DOJ officials from 13 components. In\naddition, DOJ has nearly 60,000 personnel that hold security clearances and\nare therefore eligible to derivatively classify information in the performance\nof their duties. Exhibit 1-1 identifies the number of DOJ personnel by\ncomponent with authority to make original classification decisions, as well as\nthose who can derivatively classify information.\n\n                                     EXHIBIT 1-1\n                        DOJ Officials with Original and\n                       Derivative Classification Authority\n                                as of April 2013\n                                                               OCA         Derivative\n  DOJ Component\n                                                               Officials   Classifiers\n  Office of the Attorney General                               2           17\n  Office of the Deputy Attorney General                        3           45\n  Office of the Associate Attorney General                     1           8\n  Office of the Inspector General                              1           421\n  Antitrust Division                                           1           79\n  Bureau of Alcohol, Tobacco, Firearms, and Explosives         1           4,224\n  Criminal Division                                            7           749\n  Drug Enforcement Administration                              20          7,160\n  Federal Bureau of Investigation                              17          35,951\n  Federal Bureau of Prisons                                    1           14\n  Justice Management Division                                  2           524\n  National Security Division                                   7           364\n  U.S. Marshals Service                                        1           3,096\n  All Other DOJ Components19                                   0           5,327\n  TOTAL                                                        64          57,97920\n Source: SEPS\n\n      According to EO 13526, the delegations of OCA officials shall be limited\nto the minimum required to ensure the consistency and integrity of classified\nnational security information, and agency heads are responsible for ensuring\nthat designated subordinate officials have a demonstrable and continuing\nneed to exercise this authority. To ensure that DOJ had the appropriate\n\n      19\n         According to the list provided by SEPS, there were 28 DOJ components that\ncomprised the \xe2\x80\x9call other DOJ components\xe2\x80\x9d category as of April 2013.\n      20\n           These figures were obtained from SEPS and represent the number of people in its\ndatabase of security clearance holders. This figure only includes full-time DOJ employees\nand does not include DOJ contractors who have security clearances and are able to\nderivatively classify information. We did not verify these figures with each component and\nthey were not used in the development of our conclusions or recommendations.\n\n\n                                           14 \n\n\x0cnumber of OCA officials, DOJ conducted a Department-wide evaluation\nbetween fiscal years (FY) 2011 and 2012. SEPS directed each component to\ndetermine which positions require original classification authority and to\nreduce the number, if possible. SEPS concluded its review in July 2012 and\nproposed to reduce the number of DOJ OCA officials by 38, from 102 to 64.\nThe Attorney General approved these changes in April 2013.\n\n       The OIG found that DOJ\xe2\x80\x99s reduction of OCA officials was the result of\nthe FBI reducing its number of OCA officials from 55 in FY 2012 to 17 in\nFY 2013. During this initiative, the Criminal Division, the National Security\nDivision, and the DEA did not reduce the number of authorized OCA officials.\nAlthough the DEA previously reduced its number of positions with original\nclassification authority in 2007, the DEA maintained its level of 20 OCA\nofficials from FY 2012 to FY 2013 even though only 7 of these 20 OCA\nofficials made \xe2\x80\x9coriginal classification decisions\xe2\x80\x9d in FY 2012. In addition,\nalthough the National Security Division did not reduce the number of OCA\nofficials during the SEPS review, National Security Division officials informed\nthe OIG that the number of OCA officials could be decreased by at least one.\n\n       Based on our review of types of information classified within DOJ, we\nbelieve that the frequency in which information is classified in the first\ninstance should be extremely rare. Therefore, having more individuals with\noriginal classification could contribute to information being classified at\ndifferent levels and retained for varying periods of time. As a result, we\nbelieve that the number of OCA officials within DOJ could be further reduced,\nparticularly at the DEA, which has the highest ratio of DCA officials to OCA\nofficials at 358 to 1, as illustrated in Exhibit 1-1. In comparison, the FBI, the\nlargest component within DOJ, has a DCA-to-OCA ratio of 2,115 to 1, and\nthe DOJ-wide ratio is 905 to 1. We recommend that SEPS, in conjunction\nwith the components, re-evaluate the number and types of positions that\nrequire original classification authority to ensure compliance with EO 13526.\n\nDOJ Security Classification Guides\n\n       Security classification guides contain original classification decisions\nand provide derivative classifiers with a set of instructions from an OCA\nofficial to use when making derivative classification decisions. Security\nclassification guides identify predetermined classification decisions on\nvarious topics of program-specific information, the classification level of that\ninformation, the nature of the risk to national security, the length of time the\ninformation should remain classified, and the reason for classification, which\nidentifies the specific category of national security information from\nSection 1.4 of EO 13526 into which the information falls. As an example,\n\n\n                                       15 \n\n\x0cExhibit 1-2 includes an excerpt from the DOJ\xe2\x80\x99s National Security Information\nSecurity Classification Guide.\n\n                                      EXHIBIT 1-2 \n\n            Example of a DOJ Security Classification Guide Element \n\nItem                                          Classification    Declassify     Classification\n             Category of Information\n No.                                              Level            On            Reason21\n  2    Individually unclassified or            Confidential     +25 years        1.4 (c), (g)\n       controlled unclassified data items\n       that the compilation would\n       provide insight into DOJ\xe2\x80\x99s\n       functions, staffing, activities,\n       capabilities, vulnerabilities, or\n       intelligence sources and methods.\n Source: DOJ National Security Information Security Classification Guide\n\n      In FY 2012, DOJ had ten approved security classification guides: one\ncomprehensive guide established by SEPS for Department-wide use and nine\nadditional guides created by the FBI, DEA, Criminal Division, and USMS for\nuse by the individual components. The SPOM requires DOJ components to\nsubmit initial and updated security classification guides to the Department\nSecurity Officer for approval. The following exhibit provides the number of\nSEPS-approved DOJ security classification guides by component as of\nJuly 2013.\n\n                                      EXHIBIT 1-3\n                 Approved DOJ Security Classification Guides\n                             as of June 2013\n                                                       Approved\n                             DOJ                        Security\n                          Component                  Classification\n                                                         Guides\n                   SEPS/Department-wide                     1\n                      Criminal Division                     1\n                            DEA                             1\n                            FBI                             6\n                           USMS                             1\n                           Total                           10\n                      Source: SEPS\n\n\n\n\n       21\n            See footnote 11 for the eight approved classification categories that correspond to\nclassification reason codes.\n\n\n                                              16\n\x0c       In general, we found that all security classification guides in use\nthroughout DOJ met the minimum requirements established by SEPS,\nincluding, but not limited to, identifying the types and specific topics of\ninformation deemed classified and identifying reasons for classifying the\ninformation, the level at which the information should be classified, and the\nduration of the classification. However, we also found that DOJ had not\nsufficiently coordinated the creation of security classification guides and that\nsome of the security classification guides used throughout DOJ could benefit\nfrom additional clarification on specific details to optimally ensure that\nderivative classifiers of DOJ information could make informed and accurate\nclassification decisions. These issues are discussed further below.\n\nCreation of Security Classification Guides\n\n       In 2008, ODNI issued a report on classification guidance stating that a\ncritical component of effective intelligence collaboration and information\nsharing is a common understanding of information classification standards\nand policies.22 The report further noted that inconsistent interpretation and\napplication of the classification levels defined by agencies can result in\nuneven guidance, misunderstanding, and a lack of trust between Intelligence\nCommunity agencies and mission partners concerning the proper handling\nand protection of information. Moreover, the report cited variations and\nconflicts among classification guidance as having the potential to slow or\nprevent critical information sharing among agencies, governments, and\nother national security partners.\n\n      During our review, we found that the creation of security classification\nguides was not well coordinated by SEPS, component Security Programs\nManagers, and other officials responsible for overseeing component-level\nprograms that routinely handle mission-specific national security\ninformation. SEPS established the DOJ National Security Information\nSecurity Classification Guide, which was intended for Department-wide use.\nIn developing the guide, SEPS relied upon component Security Programs\nManagers to consult others within their components to ensure the guide\nappropriately accounted for the types of information that would be\nencountered by derivative classifiers using the guide. However, we found\nthat some component Security Programs Managers did not confer with\npertinent offices during the review and acceptance of the content. Further,\nsome DOJ components created additional security classification guides for\n\n\n\n      22\n       ODNI, Intelligence Community Classification Guidance Findings and\nRecommendations Report, January 2008.\n\n\n                                         17 \n\n\x0ctheir programmatic use without fully coordinating with SEPS or, in at least\none instance, with other affected components.\n\n      Specifically, the DOJ National Security Information Security\nClassification Guide includes guidance related to Foreign Intelligence\nSurveillance Act (FISA) processes. Yet according to some National Security\nDivision officials interviewed, the National Security Division, which performs\nvarious FISA-related activities, was not involved in the development of this\nguidance, and as of May 2013, National Security Division officials, including\nattorneys who work with FISA-related information, were unaware that this\nguidance existed. During interviews with the OIG, SEPS and National\nSecurity Division officials acknowledged this discrepancy and agreed that the\nNational Security Division should work with SEPS to incorporate into the DOJ\nNational Security Information Security Classification Guide all relevant\nrequirements, policy decisions, and processes related to classified national\nsecurity information in the National Security Division or specifically related to\nFISA processes. In addition, the National Security Division has taken steps\nto improve its employees\xe2\x80\x99 awareness of the DOJ National Security\nInformation Classification Guide by including a link to the guide on National\nSecurity Division intranet site.\n\n       We also found that the USMS established a security classification guide\nin FY 2012, the USMS Operations and Capabilities Security Classification\nGuide, that contains many of the same national security information already\nidentified in the DOJ National Security Information Security Classification\nGuide. As a result, SEPS officials told us that, in their opinion, it was\nunnecessary for the USMS to have its own security classification guide.\nAccording to USMS officials in charge of producing the USMS guide, SEPS did\nnot inform them and they did not inquire about the possibility of\nincorporating national security information specific to the USMS into the DOJ\nNational Security Information Security Classification Guide. Nevertheless,\nUSMS officials agreed that its guide could be integrated into the DOJ\nNational Security Information Security Classification Guide. Following our\ninquiries, SEPS informed us that as of July 2013 the USMS\xe2\x80\x99s security\nclassification guide was not being utilized nor was it approved for use within\nthe USMS. In August 2013, SEPS and the USMS began coordinating to\nintegrate the USMS\xe2\x80\x99s needs into the DOJ-wide guide and ensure that the\nDOJ National Security Information Security Classification Guide is utilized\neffectively within the USMS.\n\n       In addition, we found that the Criminal Division created a security\nclassification guide in July 2012 for classifying and handling information for a\njoint program the Criminal Division administers with the DEA, but that\ndespite sharing original classification authority over the relevant information\n\n                                       18 \n\n\x0cwith DEA officials, the Criminal Division did not actively involve the DEA\nwhen creating the guide. As a result, the DEA declined to use the Criminal\nDivision\xe2\x80\x99s security classification guide because it did not adequately address\nall of DEA\xe2\x80\x99s needs and issues. Moreover, one DEA official told us that the\nDEA would probably develop its own, parallel classification guide for the\nprogram.\n\n       According to SEPS officials, when the Criminal Division first created the\nsecurity classification guide, officials were instructed to ensure that all\nparticipants in the program were included in making the classification\ndecisions and establishing instructions for classifying national security\ninformation within the guide. Nevertheless, SEPS approved the security\nclassification guide without verifying with the DEA that all necessary\nrequirements and instances of national security information were\nincorporated.\n\n       At the audit close-out meeting, SEPS officials reiterated to the OIG\nthat they relied upon DOJ components\xe2\x80\x99 Security Programs Managers to\ncoordinate with all OCA officials, subject matter experts, and any other\nagency affected by the creation of security classification guides. Moreover,\nSEPS officials stated that SEPS\xe2\x80\x99s approval of DOJ component\xe2\x80\x99s security\nclassification guides is basically an \xe2\x80\x9cadministrative action\xe2\x80\x9d because SEPS\ndoes not have the subject matter expertise with regard to specific program\nclassification requirements. SEPS only reviews the security classification\nguides for basic form and function. Therefore, SEPS officials believe that\nDOJ component\xe2\x80\x99s OCA officials and Security Programs Managers should be\naccountable for the content of the information in program-specific DOJ\nsecurity classification guides.\n\n      We agree with SEPS\xe2\x80\x99s assessment that DOJ components\xe2\x80\x99 Security\nPrograms Managers should be held accountable for consulting with all\ninterested parties to ensure that the content of security classification guides\nis accurate and useful for all purposes. However, we attribute the lack of\ncoordination on security classification guides to a general unfamiliarity in\nDOJ with the purpose and importance of security classification guides. We\nalso believe that SEPS has a responsibility to ensure that the Security\nPrograms Managers and OCA officials understand the importance of\nconsistent, comprehensive, and accurate security classification guides.\n\n      As recognized by ODNI in its 2008 report, we believe that fewer\nsecurity classification guides would help ensure consistency of classification\ndecisions across DOJ, as the development of separate security classification\nguides regarding the same classified information can lead to different, and\npotentially conflicting, marking and handling requirements for the same\n\n                                      19 \n\n\x0cclassified information, thereby increasing the risk of marking and handling\nerrors and complicates users\xe2\x80\x99 efforts to comply with the guides. We\ntherefore recommend that SEPS should ensure that DOJ components are\naware of and understand how to use security classification guides.\nMoreover, to increase efficiency and classification accuracy, we recommend\nthat SEPS review all DOJ security classification guides and work with DOJ\ncomponent Security Programs Managers and OCA officials to identify and\nreduce redundancies.\n\nSecurity Classification Guide Assessment\n\n       During our review of DOJ\xe2\x80\x99s ten security classification guides, we found\nthat some of these guides did not provide adequate instruction on when and\nat what level to classify information. For instance, as shown in Exhibit 1-2\nthe DOJ National Security Information Security Classification Guide instructs\nusers to classify as confidential the following: \xe2\x80\x9cindividually unclassified or\ncontrolled unclassified data items that the compilation would provide insight\ninto DOJ\xe2\x80\x99s functions, staffing, activities, capabilities, vulnerabilities, or\nintelligence sources and methods.\xe2\x80\x9d However, the security classification\nguide does not explain what types of unclassified or controlled unclassified\ndata items, if combined, would result in classification. We also found that\nsome of the security classification guides identified national security\ninformation and then instructed the classifier that the classification of this\ninformation could range from unclassified to Top Secret without fully\nexplaining the circumstances that would cause the level of classification of\nthe information to escalate from one level to another. Insufficient,\nambiguous, and over-broad explanations such as these provide inadequate\nguidance to derivative classifiers and could result in the misclassification of\ninformation.\n\n       We also found that the DEA National Security Information Security\nClassification Guide contained inconsistent internal elements that identify\ndifferent ways to classify the same information. For instance, the DEA\nNational Security Information Security Classification Guide identifies two\nelements associated with foreign government information provided in\nconfidence and identifies in one element that the information should be\nidentified as unclassified law enforcement sensitive information, while the\nother element instructs users that the information should be classified as\nSecret. No guidance is offered about the different circumstances that would\ncause a derivative classifier to apply one instruction as opposed to the other.\nWe believe that these ambiguous and seemingly contradictory instructions\nare likely to result in a derivative classifier marking Secret information as\n\xe2\x80\x9cUnclassified, law enforcement sensitive,\xe2\x80\x9d or marking unclassified\ninformation as Secret.\n\n                                      20 \n\n\x0c      We found that the FBI\xe2\x80\x99s security classification guides often provided\nthe best explanations regarding the circumstances that would require the\nspecific classification of information. For example, the FBI National Security\nInformation Classification Guide contains almost two pages and three\nseparate line items devoted to the appropriate classification of case numbers\nand other case-specific identifying information. This section of the FBI guide\ncontains explicit instructions and examples for FBI employees, such as:\n\n      \xef\x82\xb7\t    \xe2\x80\x9cThe fact that a numeric and alpha designation, such as 134A or\n            315H, is or could be an FBI case file number.\xe2\x80\x9d The FBI guide\n            then provides two specific examples, including: \xe2\x80\x9cAn agent calls\n            his supervisor and tells him/her \xe2\x80\x98I\xe2\x80\x99m working a 415J matter\xe2\x80\x99\n            would be unclassified.\xe2\x80\x9d\n\n      \xef\x82\xb7\t    \xe2\x80\x9cAssociation of case file number with specific threat countries\n            and/or organizations in a national security program\xe2\x80\x9d is to be\n            classified Secret and the guide goes on to provide four additional\n            instructions (similar to the bullet above) and an explanation why\n            the information is sensitive and needs to protected.\n\n       By contrast, the DOJ National Security Information Security\nClassification Guide states that information providing \xe2\x80\x9cspecific details of\nrelationships between DOJ and members of the Intelligence Community\xe2\x80\x9d\nshould be classified at the Secret level. However, the DOJ guide does not\nprovide a definition or examples of the \xe2\x80\x9cspecific details\xe2\x80\x9d that warrant\nclassification or the potential damage if the information were released. We\nbelieve that specific instructions for derivative classifiers, similar to those\nprovided in the FBI guide, are likely to reduce instances of misclassification\nand mishandling of national security information.\n\n       According to SEPS officials, DOJ personnel who use a security\nclassification guide should have a basic understanding of what type of\ninformation must be classified and also have a responsibility to contact their\nSecurity Programs Managers to request clarification and additional guidance\nwhen needed. Nevertheless, DOJ officials who are considered classification\nsubject matter experts told us that DOJ should clarify and refine instructions\nin its security classification guides to reduce the likelihood of confusion and\nmisunderstanding among derivative classifiers. We agree, and we\nrecommend that SEPS review all DOJ security classification guides to ensure\nthat instructions are clear, precise, consistent, and provide derivative\nclassifiers with sufficient information to make accurate classification\ndecisions.\n\n\n                                       21 \n\n\x0cDOJ\xe2\x80\x99s FY 2012 Classification Decisions\n\n       In FY 2012, DOJ components with OCA officials reported a total of\n4,689 original classification decisions and over 8 million derivative\nclassification decisions, as shown in Exhibit 1-4.23\n\n                                       EXHIBIT 1-4 \n\n                        FY 2012 Classification Decisions24\n\n                                                                Original        Derivative\n DOJ Component                                               Classification    Classification\n                                                               Decisions         Decisions\n Bureau of Alcohol, Tobacco, Firearms, and Explosives              0                105\n Criminal Division                                                603               231\n Drug Enforcement Administration                                  849             80,953\n Federal Bureau of Investigation                                   4             8,355,880\n Justice Management Division                                       0                 54\n National Security Division                                      3,232              280\n Office of the Inspector General25                                 0                185\n U.S. Marshals Service                                             1                  0\n Total                                                           4,689          8,437,688\n Source: SEPS\n\n      We reviewed a judgmental sample of 25 original classification\ndecisions from the National Security Division, Criminal Division, and DEA and\n116 derivative classification decisions from the National Security Division,\nCriminal Division, FBI, and DEA.26 Our review identified several\ndiscrepancies, including incorrect designations of decisions as \xe2\x80\x9coriginal\xe2\x80\x9d\n\n       23\n            Classification decisions include all actions in which an OCA official initially\ndetermines that information should be classified and each time derivative classifiers\nincorporate, paraphrase, restate, or generate in a new form, information that is already\nclassified.\n       24\n           This chart only reflects DOJ components with at least one OCA official that made\nat least one original or derivative classification decision during FY 2012.\n       25\n          Although the OIG reported derivative classification decisions during our audit\nperiod, we excluded the OIG from our review to avoid a conflict of interest.\n       26\n            The OIG judgmentally selected a sample of classified documents with the intent of\nobtaining broad exposure to the classified work performed within DOJ components during\nFY 2012 and we focused our review on the four components with substantial numbers of\nclassification activity during FY 2012. The FBI only made four original classification\ndecisions in FY 2012 and all four of these decisions were the creation of security\nclassification guides. Because we assessed the adequacy of security classification guides\nseparately, we did not include these documents in our testing of original classification\ndecisions. A more detailed description of our sample selection methodology for each\ncomponent is in Appendix I.\n\n\n                                              22 \n\n\x0cclassification decisions, information that had been inappropriately identified\nas classified (over-classification), improper use of a dissemination control,\nand unmarked or incorrectly marked documents containing classified\nnational security information.\n\nOriginal Classification Designations\n\n       We found that the National Security Division, Criminal Division, and\nthe DEA incorrectly designated classified information as \xe2\x80\x9coriginal\xe2\x80\x9d\nclassification decisions. The documents we reviewed that were identified as\ncontaining original classification decisions in fact contained information that\npreviously had been identified as classified in at least one source document\nor in a security classification guide. Therefore, these decisions should have\nbeen identified as derivative classification decisions, not original\nclassification decisions. Based on interviews with component officials, we\nfound that each of these DOJ components had a different process and\nreason for designating the classification as original decisions instead of\nderivative decisions.\n\n       National Security Division \xe2\x80\x93 Among its other responsibilities, the\nNational Security Division processes applications for FISA warrants. During\nour review, we found that the National Security Division categorized the\nclassification of all FISA applications and all FISA-related documents as\noriginal classification decisions. Yet we found that the National Security\nDivision was creating these documents, in part, using classified national\nsecurity information submitted by other government agencies. Moreover,\naccording to National Security Division officials, all applications for FISA\nauthorities are classified at least at the Secret level.27 National Security\nDivision officials explained that historically DOJ has applied original\nclassification decisions to applications and other FISA-related pleadings\nbefore the Foreign Intelligence Surveillance Court (FISA Court). National\nSecurity Division officials believe that this practice emerged because even\nthough much of the information in the FISA documents are supplied by the\nIntelligence Community, DOJ represents the United States before the FISA\nCourt and is responsible for the form of the information provided in FISA\napplications and related documents. This policy determination, which\nestablished a National Security Division-wide protocol for classifying\nFISA-specific information, represented an original classification decision, and\nthe subsequent classification of any information meeting the criteria of this\ndecision is therefore a derivative classification decision. Consequently, the\n       27\n            This classification meets the requirements of Section 1.4 of EO 13526, which\nincludes intelligence sources or methods as a category of information that shall be\nclassified.\n\n\n                                             23 \n\n\x0cNational Security Division erred by categorizing the documents we reviewed\nas original classification decisions.\n\n       National Security Division officials, including an OCA official, agreed\nthat the National Security Division\xe2\x80\x99s FISA-related information that had been\nidentified as original classification decisions could more accurately be\nidentified as derivative classification decisions. However, some of the\nNational Security Division officials were unfamiliar with the derivative\nclassification process, despite generally following derivative classification\nprocedures by carrying over classification markings from source documents.\nNational Security Division officials also told us they were apprehensive about\nfully implementing the derivative classification process because they\nbelieved it would slow down the National Security Division\xe2\x80\x99s processes\nrelated to its FISA work. Nevertheless, the National Security Division\xe2\x80\x99s\nDirector for Security stated that the National Security Division would begin\nto implement derivative classification procedures and agreed that they would\nwork with SEPS to update the Department\xe2\x80\x99s classification guide to help\nimplement such a change. We expect that when the National Security\nDivision implements this change in procedure, its reported number of\noriginal classification decisions, as illustrated in Exhibit 1-4, will decrease\nsignificantly.\n\n      Criminal Division \xe2\x80\x93 The Criminal Division develops, enforces, and\nsupervises the application of federal criminal laws in coordination with other\ngovernment agencies, including DOJ components. We reviewed Criminal\nDivision documents containing classification decisions categorized as original\ndecisions by an OCA official and found that all of these documents did not\nmeet the criteria for an original classification decision because the classified\ninformation in each of the documents had been incorporated previously into\na security classification guide created specifically for the Criminal Division\xe2\x80\x99s\nlimited-access classified program.\n\n      When the OIG asked this official why he had not derivatively classified\nthe information using the security classification guide that he created, the\nOCA official stated that he was unsure of the difference between original and\nderivative classification decisions, and that he believed that by classifying\nthe document as an original decision he could better control who received\nthe information and how the information was used. However, this practice\nobviates the benefits of a classification guide and creates the potential for\nsetting inconsistent declassification dates.\n\n      Although this OCA official had received classification training and\nworked directly with SEPS on the creation of the security classification guide,\nthe official continued to use improper classification processes. After our\n\n                                       24 \n\n\x0cidentification of the issue, Criminal Division and SEPS officials met and\nagreed that it was appropriate to classify the information derivatively using\nthe security classification guide. We believe that when the Criminal Division\nimplements this change in practice, its reported number of original\nclassification decisions, as illustrated in Exhibit 1-4, will decrease\nsignificantly.\n\n       Drug Enforcement Administration \xe2\x80\x93 As part of its mission, DEA is\nresponsible for enforcing the controlled substances laws and regulations of\nthe United States, as well as recommending and supporting\nnon-enforcement programs aimed at reducing the availability of illicit\ncontrolled substances domestically and internationally. We found that the\nDEA was improperly classifying documents using original classification\nauthority when the information in these documents previously had been\nclassified in a security classification guide. A DEA official stated that he\nbelieved information was better protected from widespread dissemination\nwhen the classifier used original classification decisions rather than\nderivative classification decisions. However, this OCA official also\nacknowledged that the DEA\xe2\x80\x99s information did not fit the criteria for an\n\xe2\x80\x9coriginal\xe2\x80\x9d classification decision, although he expressed uncertainty when\nasked whether the DEA would revise its processes for classifying the\ninformation.\n\n       In its 2006 review of the DEA, NARA\xe2\x80\x99s Information Security Oversight\nOffice identified this same discrepancy. NARA\xe2\x80\x99s Information Security\nOversight Office briefed the DEA on the proper process for classifying\npreviously identified classified information and informed the DEA that it\nshould include the information in a security classification guide. The DEA\nresponded to the NARA review on May 8, 2007. In its response, the DEA\nacknowledged that it was incorrectly making original classification decisions\nand informed NARA\xe2\x80\x99s Information Security Oversight Office that the DEA\xe2\x80\x99s\ntwo major producers of classified documents were engaged in producing\nlocal classification guides that would be used to supplement a DEA\nclassification guide that was in draft at the time. The DEA anticipated that\nits actions would result in an increase of the number of derivative\nclassification decisions versus the number of original classification decisions\ncurrently being made by the DEA. According to the DEA, its original\nclassification decisions were reduced by 85 percent in FY 2012 as compared\nto the previous 3 years. However, despite the DEA\xe2\x80\x99s efforts, our review\nfound that the DEA continues to improperly use original classification\ndecisions, as explained above.\n\n      We believe the DEA should revise its classification processes and\npractices to comply with DOJ security and classification procedure\n\n                                      25 \n\n\x0crequirements. We also believe that, if the DEA corrects its process for\nclassifying information, its reported number of reported original classification\ndecisions, as reflected in Exhibit 1-4, will decrease significantly.\n\n       Originally classifying information that was previously classified can\ninadvertently alter the dissemination controls or extend the declassification\nperiod. For instance, if an OCA official takes information from a source\ndocument that has a declassification date set for 25 years from 2002 and\ncreates a new document that is categorized as an original classification\ndecision, the OCA official can extend the declassification date to 25 years\nfrom the date the new document was created, resulting in inconsistent\ndeclassification dates for the same information. Moreover, because\noriginally classified documents do not identify any source materials, there is\nno way to trace the information in the new, originally classified document\nback to the previously classified document to ensure that all markings are\nidentical, raising the possibility of inconsistent handling instructions for the\nsame information. Incorrectly applying OCA classification markings can also\nincrease the risk that the same information would be classified differently\nacross programs because different OCA officials could, in theory, reach\ndifferent conclusions about the appropriate classification of the same\ninformation. Additionally, improper classification processes increase the\nlikelihood that classified information will be mishandled, and as a result can\nundermine the trust and confidence that is necessary for critical sharing of\nnational security information among and within federal agencies.\n\n       Based on our findings, we believe that SEPS and DOJ component\nSecurity Programs Managers have not emphasized to OCA officials the\nimportance of the standardized classification process. SEPS should work\nwith DOJ component Security Programs Managers to ensure that OCA\nofficials understand the difference between original and derivative\nclassification decisions and properly mark classified information according to\nthe proper requirements of the classification decisions.\n\nReview of Classification Levels\n\n      Although we did not find widespread misclassification during our\nlimited review of classified DOJ documents, we found several documents in\n\n\n\n\n                                       26 \n\n\x0cwhich information was inappropriately identified as being classified.28 We\ndiscussed the specifics of these findings with the components. The following\nare some examples of over-classified information found by the OIG and the\nresponse from officials at various DOJ components.\n\n       At the National Security Division, we identified one report (erroneously\nclassified as an original decision) as over-classified because the information\ndid not meet one of the eight reasons for classification. The report referred\nto FBI classified material, but did not provide specific information about FBI\nclassified programs or cases that would justify its classification. National\nSecurity Division officials stated that their practice was to follow FBI\npractices regarding classification, and because the FBI classifies certain\nnational security programs and cases, they decided to classify the report.\nMoreover, a National Security Division official explained that they are\nsensitive to the aggregation of information that could be manipulated to\nexpose sensitive program details. However, these officials understood the\nOIG\xe2\x80\x99s assessment that, because the information contained in the report did\nnot provide classified details, the information should not have been classified\nand agreed to review the classification of future reports.\n\n       At the FBI, we identified a terrorist watchlist nomination document\nthat was classified by the preparer. Because the terrorist watchlist is an\nunclassified subset of terrorism information, the OIG asked the FBI official\nresponsible for the document why the information in the document was\nclassified. The official explained that he was unaware of the FBI\xe2\x80\x99s\nclassification requirement for watchlist nominations and was following\nprevious work experience practices from another Intelligence Community\nagency. This official agreed with the OIG that the information should have\nbeen marked unclassified.\n\n      We also found that the National Security Division and the Criminal\nDivision over-classified portions in otherwise properly classified documents\nthat contained standard language citing unclassified laws, statutes, or\nregulations. The Criminal Division official who classified the information\n\n       28\n           Key terminology, such as \xe2\x80\x9cover-classification\xe2\x80\x9d and \xe2\x80\x9cdamage to national security\xe2\x80\x9d\nhas not been defined by law, regulation, or executive order. During the course of our\nevaluation, we used a working definition of \xe2\x80\x9cover-classification,\xe2\x80\x9d which was supplied by\nNARA\xe2\x80\x99s Information Security Oversight Office: the designation of information as classified\nwhen the information does not meet one or more of the standards for classification under\nsection 1.1 of EO 13526. For example, \xe2\x80\x9cover-classification\xe2\x80\x9d can occur when information is\nmarked classified but does not fall into any of the eight categories of information specified\nby EO 13526. In addition, \xe2\x80\x9cover-classification\xe2\x80\x9d occurs when information is classified at too\nhigh of a level, such as information that might be marked Top Secret but for which\nunauthorized disclosure would not cause \xe2\x80\x9cexceptionally grave damage to national security.\xe2\x80\x9d\n\n\n                                             27 \n\n\x0cagreed with the OIG\xe2\x80\x99s assessment that the information should not have been\nclassified. The National Security Division official who reviewed the classified\ninformation in the OIG sample documents opined that the information was\nclassified appropriately because the inclusion of certain language from laws,\nstatutes, or regulations could expose the nature of the classified program.\nHowever, this official concurred with the OIG that statements of general\npolicy that are devoid of derivation or application to specific classified\noperations should not be marked classified.\n\n      Persistent misunderstanding and unawareness of proper classification\nprocesses can cause misclassification, which requires additional expenditures\nof funds and commitments of resources to store and secure the information\nand reduces the transparency of government operations.29 Although our\nlimited review only found isolated instances of over-classified information,\nthe types of weaknesses we identified throughout our review were\nassociated with DOJ\xe2\x80\x99s implementation of information classification policies\nand procedures, leading us to believe that DOJ is susceptible to additional\ninstances of misclassification.\n\nProper Use of Dissemination Controls\n\n       During our review of DEA classified documents, we found that the DEA\nadded to some of its classified information the control marking, \xe2\x80\x9cOriginator\nControlled\xe2\x80\x9d (ORCON), with some also including additional warning caveats\non the use of the information. According to the CAPCO manual, ORCON is\nused on classified intelligence that clearly identifies or reasonably permits\nready identification of intelligence sources and methods that are particularly\nsusceptible to countermeasures capable of nullifying or measurably reducing\ntheir effectiveness. The DEA\xe2\x80\x99s Office of National Security Intelligence must\nadhere to the CAPCO manual requirements because it is a member of the\nIntelligence Community. However, we found that DEA offices within and\noutside of the Intelligence Community both used the ORCON dissemination\ncontrol and we believe that some of the information in the classified DEA\ndocuments that we reviewed did not meet the CAPCO manual\xe2\x80\x99s ORCON\ndefinition. According to one DOJ official, it is difficult for an agency to deal\nwith ORCON marked documents because it inhibits sharing of information.\nMoreover, this official explained that individuals may also be unaware of\nwhat the ORCON marking actually entails and people may not be following\nthe instruction for getting authorization from the source to further share the\ninformation.\n\n\n       29\n            According to NARA\xe2\x80\x99s Information Security Oversight Office, the total security\nclassification cost estimate within the government for FY 2012 was $9.77 billion.\n\n\n                                              28 \n\n\x0c       DEA officials told us that although the DEA\xe2\x80\x99s preference was not to use\nthe ORCON dissemination control and additional warning caveats, the DEA\nhad adopted the restrictions for the protection of ongoing investigative\ninformation or confidential source information. Officials explained that the\nORCON marking and warning caveats were necessary to help ensure that\nothers receiving the information do not act on or share the information\nwithout first \xe2\x80\x9cdeconflicting\xe2\x80\x9d operational activities or coordinating their\ninformation sharing efforts with the DEA. Additionally, DEA officials told us\nthat even with the addition of the ORCON control markings, the DEA has had\nother government agencies misuse their information and in some cases this\nhas resulted in the compromise of an ongoing operation or damage to\nrelations with a foreign nation. He also stated that including the ORCON\nmarking and warning caveat was the DEA\xe2\x80\x99s attempt to better protect its\ninformation by instructing recipients to consult with the DEA before any\naction is taken based on DEA information.\n\n      We believe that the use of the ORCON dissemination control is\nnecessary to protect certain types of classified information. We also\nrecognize that law enforcement components within the DOJ have a need to\nprotect their on-going investigations and operations. From our\nconversations with DEA officials, it appears that the type of protection that\nthe DEA is trying to achieve through its use of ORCON is not currently being\naffected by its use of the ORCON control marking. In addition, it appears\nthat the non-Intelligence Community DEA entities using the ORCON control\nmarkings are doing so improperly. According to a SEPS official, overuse of\ndissemination control markings like ORCON dilute the effectiveness of these\nmarkings. Therefore, we believe that it is possible that the DEA\xe2\x80\x99s expanded\nuse of the ORCON dissemination control marking is reducing its usefulness.\n\n       According to SEPS officials, the onus is on DOJ components that use\nthe ORCON dissemination control to ensure that personnel understand the\npurpose of the ORCON dissemination control and use it appropriately.\nMoreover, SEPS officials stated that ODNI was developing ORCON-specific\ntraining and SEPS will promulgate that training once it is finalized. Because\nthe use of the ORCON dissemination marking may also impede the\ntimeliness for which classified information can be shared between agencies,\nwe recommend that SEPS ensure that ODNI\xe2\x80\x99s ORCON-specific training is\npromulgated to DOJ components once it is issued. In addition, SEPS should\ncoordinate with the DEA Security Programs Manager and officials\nrepresenting all DEA entities using the ORCON control markings to ensure\nthat the DEA\xe2\x80\x99s use of dissemination control markings is appropriate.\n\n\n\n\n                                     29 \n\n\x0cClassification Marking Deficiencies\n\n      During our review of classified documents, we found many documents\nthat either did not contain required classification markings or contained\nincorrect classification markings. When we brought these issues to the\nattention of DOJ officials within these components, they generally agreed\nwith the OIG\xe2\x80\x99s assessments. Exhibit 1-5 provides an overview of the\nmarking errors identified by the OIG.\n\n                                         EXHIBIT 1-5 \n\n                       Classified Document Marking Errors\n\n                                                         DOJ Components\n   Sample of FY 2012 Documents                   National                          Total\n                                                           Criminal\n      Reviewed by the OIG                  FBI   Security           DEA         Documents\n                                                           Division\n                                                 Division                        Reviewed\n   Derivative Classification Decisions      56      20        16     24             116\n   Original Classification Decisions30       0      11        10      4              25\n                                                                                   Total\n               Marking Errors on Documents Reviewed31                             Marking\n                                                                                   Errors\n Classification Block Errors\n    Missing, Incomplete, or Incorrect\n                                       51           20          16         0         87\n    "Classified By" Information\n    Missing, Incomplete, or Incorrect\n                                       52           18          16         8         94\n    "Derived From" Information\n    Missing, Incomplete, or Incorrect\n                                        5           15          17         0         37\n    Declassification Instructions\n Missing Portion Markings              25            9          18         9         61\n Missing or Incorrect Dissemination\n                                       23            5          10         8         46\n Control Markings\n Missing or Incorrect Classification\n                                       14            7          10         1         32\n Banner\n Totals                               170           74          87        26        357\n Source: OIG Review of DOJ Documents\n\n     Within this sample, we reviewed classified meeting notes and e-mails.\nWe found that officials often did not properly mark these documents because\n\n       30\n            We reviewed the \xe2\x80\x9coriginal classified\xe2\x80\x9d documents for proper classification markings\nusing the requirements for original classification decisions. However, as noted previously,\nthese documents should have been derivative classification decisions. These documents\nwere not evaluated to ensure that the source information was identified because original\nclassification decisions are only required to identify the OCA official and the intent of DOJ\ncomponents at the time of our audit was to make original classification decisions.\n       31\n         The identified marking errors exceed the number of documents reviewed because\nin many cases, a single document contained multiple marking errors.\n\n\n                                             30 \n\n\x0cthey were unaware of the classified marking requirements for these\nclassified products. As an example, we reviewed a document containing the\nsynopsis of a classified meeting over a secure phone call with a National\nSecurity Division official and officials from Intelligence Community agencies\nthat was marked with an overall classification of Secret, but because the\nNational Security Division official was unsure about other classification and\nmarking requirements for meeting notes, the document did not include the\nrequired classification block or portion markings. Similarly, Criminal Division\nofficials stated that they often discuss classified information at meetings with\nmembers of the Intelligence Community but were unsure about how to\nclassify and mark their notes from these conversations.\n\n       We also found that although some classified DOJ component e-mails\ncontained an overall classification marking, the majority of the e-mails that\nwe reviewed did not contain any classified portion markings or a\nclassification block. In addition, classified e-mails did not contain the\nclassification banner. Officials explained that they were not aware of\nclassification and marking requirements for forwarding a classified e-mail,\nand they did not understand their responsibilities when replying to an e-mail\nthat lacked appropriate classification markings. As a result, a single marking\nerror in an e-mail can be propagated many times over through replies and\nforwards.\n\n       Missing, Incomplete, or Incorrect Classification Block Information \xe2\x80\x93\nGenerally we found that the identification of the classifier was not included in\nthe classification block. Moreover, we found that some components did not\ninclude a classification block on documents or included an original\nclassification block on a derivatively classified document. Further, some\ncomponents used out-of-date classification guidance or included outdated\nversions of security classification guides. When we asked why the\ndocuments contained incomplete or incorrect classification blocks, FBI, DEA,\nNational Security Division, and Criminal Division officials stated either they\nwere unaware of the classification block requirements or were using\noutdated templates, tools, or previously classified documents to provide the\nformat or information for their classification block.\n\n       Lack of or Incomplete Source Reference \xe2\x80\x93 We found that none of the\ndocuments that used multiple sources to derive a classified document\nproperly referenced the source documents in the classification block or\nincluded a classified addendum. Although the implementing regulation and\nDOJ policy clearly identify this requirement, FBI, DEA, National Security\nDivision, and Criminal Division officials stated that they were unaware of the\nsource list requirements. Criminal Division and National Security Division\nofficials said that they generally attach the source documents to the file copy\n\n                                      31 \n\n\x0cof the document. These officials added, however, that there are instances in\nwhich the drafting attorney needs additional information and will contact the\nsource of the information directly and could place that information in\nCriminal Division and National Security Division case files. However, the\nfiles reviewed by the OIG did not contain source information for all of the\nclassified information contained in the documents.\n\n      Incorrect Declassification Instructions \xe2\x80\x93 FBI, National Security Division,\nand Criminal Division officials were also unfamiliar with requirements for\ndeclassification markings. We found that classifiers generally used \xe2\x80\x9c25 years\nfrom the date of creation\xe2\x80\x9d as the \xe2\x80\x9cde facto\xe2\x80\x9d declassification date and did not\nconsult security classification guides for the OCA official\xe2\x80\x99s declassification\ninstructions. Additionally, some of these officials were unaware of the\nrequirements for determining a declassification date on a classified\ndocument that was created using information from multiple sources. In\nthese circumstances, classifiers are required to use the declassification\ninstruction that corresponds to the longest period of classification among all\nof the source documents, yet many of the officials we interviewed stated\nthat they instead made an educated guess to determine the declassification\ndate. Because these practices can result in information remaining classified\nlonger than may be necessary, there is an increased risk of wasted\nresources, such as security containers and security guards needed to protect\nthe information from disclosure. Conversely, if classifiers improperly use a\nperiod shorter than necessary, classified information may inadvertently be\nexposed before the risk to national security has passed.\n\n       Missing Portion Markings \xe2\x80\x93 In our review of a sample of classified\ninformation, we found 63 occurrences where the classifier failed to properly\napply portion markings to a document with the appropriate classification\nlevel and dissemination instructions. FBI, National Security Division, and\nCriminal Division officials attributed these portion marking errors to either\nhuman error or formatting issues. National Security Division and Criminal\nDivision officials further stated that the marking errors were generally\nattributable to the National Security Division and Criminal Division having\nreceived unmarked source documents from other components. One of the\ndocuments reviewed by the OIG contained a footnote specifying that the\ndocument lacked portion markings because the source document was not\nproperly marked. DOJ officials were mindful of the requirement that\nclassified documents should contain portion markings, but were unaware\nthat if a classified source document is not marked correctly the receiving\nagency must request a revised version of the document.\n\n      Missing or Incorrect Dissemination Control Markings \xe2\x80\x93 We noted\ninstances where dissemination control markings were not always carried\n\n                                      32 \n\n\x0cover from source documents. FBI and DEA officials attributed these\ninstances to human error and stated that the control markings should have\nbeen carried over to the derivatively classified documents. However, some\nof these instances occurred when information from Intelligence Community\ndocuments was transferred to derivatively classified documents created by\nDOJ components that are not members of the Intelligence Community.\nNational Security Division and Criminal Division officials stated that they\nwere unaware of the requirements for the various dissemination control\nmarkings because they did not have access to or were unaware of\nIntelligence Community control and handling marking requirements. In\naddition, we found that many of the officials relied on previous training or\nexperience received from past employment when handling and marking\nclassified material, even if that experience was acquired when there was\ndifferent and now outdated classification guidance.\n\n      Missing Classification Banner - We found various documents that did\nnot contain an overall classification marking banner. In most of these\ninstances, FBI, National Security Division, and Criminal Division officials\nstated that this was human error.\n\nFactors Contributing to Classification Deficiencies\n\n       As recognized in EO 13526, protecting information critical to national\nsecurity and demonstrating a commitment to open government are\naccomplished through accurate and accountable application of classification\nstandards, including uniform classification marking systems and security\nclassification guides, as well as the use of technology needed to share\nnational security information. As explained below, we found that the\nclassification deficiencies identified during our audit were often attributable\nto the following factors: deficiencies in DOJ\xe2\x80\x99s implementation of\nclassification and control marking guidance; inadequate and inconsistent use\nof security classification guides; a lack of automated tools capable of\nimproving classification processes; deficiencies in the systems infrastructure\nused to process and store classified information; and weaknesses in DOJ\xe2\x80\x99s\nsecurity education and training programs.\n\nClassification and Control Marking Guidance\n\n      As previously mentioned, NARA issued the Information Security\nOversight Office\xe2\x80\x99s Marking Classified National Security Information booklet to\nprovide a baseline overview for classification marking requirements for\noriginal and derivative classifiers. In addition, ODNI issued the CAPCO\nManual to provide members of the Intelligence Community with a standard\nset of classification marking requirements and instructions for using\n\n                                      33 \n\n\x0cagency-specific dissemination and handling control markings. However,\nsome DEA and FBI officials from these Intelligence Community sections who\nwere responsible for classifying the documents that the OIG reviewed were\neither unaware or only vaguely familiar with the CAPCO Manual. These\nofficials instead relied upon prior knowledge and on-the-job training when\nmarking classified documents.\n\n       In addition, DOJ officials from the National Security Division and\nCriminal Division work directly with the Intelligence Community to produce\nlegal documents based on information obtained and classified by the\nIntelligence Community. However, DOJ officials from these divisions said\nthat they were unaware of ODNI\xe2\x80\x99s policies and procedures regarding\ndissemination control markings as stated in the CAPCO Manual and used on\ndocuments provided by Intelligence Community agencies. These officials\nonly referenced the Information Security Oversight Office\xe2\x80\x99s Marking\nClassified National Security Information booklet when derivatively classifying\nIntelligence Community information.\n\n      Of particular concern was National Security Division officials\xe2\x80\x99 lack of\nknowledge of the requirement for FISA markings in classified documents, as\ndefined in the CAPCO Manual. Specifically, the CAPCO Manual contains a\nrequirement that documents with FISA-obtained information contain a\nFISA-specific control marking. The National Security Division is responsible\nfor overseeing implementation of FISA and receives numerous documents\nwith such markings from agencies within the Intelligence Community.\nHowever, the National Security Division does not belong to the Intelligence\nCommunity, does not follow the CAPCO Manual guidelines, and does not use\nthe FISA-specific markings. Moreover, National Security Division officials\nexplained that when creating new classified documents they do not carry\nforward the FISA-specific markings from the original source documents from\nthe Intelligence Community.\n\n       In September 2012, SEPS published the DOJ Marking Classified\nNational Security Information guide, the first DOJ-specific marking guide\never produced. This marking guide is more comprehensive than the\nInformation Security Oversight Office\xe2\x80\x99s Marking Classified National Security\nInformation booklet. However, we found that DOJ\xe2\x80\x99s guide did not\nincorporate all Intelligence Community marking requirements. Therefore,\nwe believe that SEPS should ensure that all DOJ components that work with\nIntelligence Community national security information \xe2\x80\x93 not just those\ncomponents that are formally part of the Intelligence Community \xe2\x80\x93 have the\nnecessary training to understand the marking and dissemination controls in\nthe CAPCO Manual and to ensure that appropriate dissemination control\nmarkings are applied as required.\n\n                                     34 \n\n\x0c       In addition, we believe that SEPS should improve the DOJ Marking\nClassified National Security Information guide to address the various ways to\nproperly mark and classify e-mail correspondence and classified meeting\nnotes. For example, the overview of how to mark a classified e-mail does\nnot provide instruction for forwarding e-mails or how to elevate the\nclassification of an e-mail if the response contains information at a higher\nclassification than the original e-mail. Moreover, there is no overview of how\nto classify notes from in-person meetings or secure phone calls where\nnational security information is discussed.\n\n       According to SEPS officials, the derivative classification concept and\nprinciples do not change because information is in an electronic format or\nbecause information is provided during in-person meetings and phone calls.\nHowever, as identified by the OIG during the audit, many individuals found\nthat it was difficult to interpret classification and marking guidance and apply\nthese instructions to e-mails and meeting notes. Further, although SEPS\nclearly indicated to the OIG that items such as meeting notes would be\nconsidered \xe2\x80\x9cworking papers\xe2\x80\x9d and would not require classification marking\ndue to their status as temporary documents, this is not noted in the guide.\nTherefore, we believe that SEPS and DOJ component Security Programs\nManagers need to ensure that personnel understand how to mark and\nclassify all types of communication and documentation formats.\n\n      Therefore, we recommend that SEPS review the DOJ Marking\nClassified National Security Information guide and incorporate\ncomprehensive instruction for marking all types of classified products,\nincluding e-mail correspondence and meeting notes.\n\nSecurity Classification Guide Use\n\n       As previously stated, security classification guides are instructions\nfrom OCA officials on how to properly classify information. None of the\nNational Security Division or Criminal Division classified documents reviewed\nby the OIG were derived from a security classification guide. Many officials\nthat created these documents were unaware of how to use a security\nclassification guide and did not know that DOJ had established the DOJ\nNational Security Information Security Classification Guide for use by all DOJ\ncomponents.\n\n       In addition, during our review of FBI classified documents, we found it\ndifficult to determine if the classification decision was appropriate because\nthe classification block did not convey enough information to identify the\nelement within the FBI National Security Information Security Classification\n\n                                      35 \n\n\x0cGuide used as a reason for classification. When we asked FBI officials about\ntheir process for determining the classification of information, they informed\nus that they do not actually consult the FBI National Security Information\nSecurity Classification Guide when derivatively classifying documents. The\nreason the FBI National Security Information Security Classification Guide\nwas identified as the source in the classification block was because selecting\nthe FBI National Security Information Security Classification Guide as the\nsource for all derivative classification decisions was a general practice.\n\n       We found that, in general, the DEA properly sourced its derivatively\nclassified documents to the DEA National Security Information Security\nClassification Guide and identified the specific elements in the guide used to\nclassify the information. The DOJ National Security Information Security\nClassification Guide states that when using one item in the security\nclassification guide as the derivative source of classification, derivative\nclassifiers should identify the item number within the classification block.\nHowever, the DOJ guide also states that when a derivative classifier uses\nmultiple line items within the security classification guide to classify\ninformation, it is sufficient to only cite the security classification guide and\nnot the specific line items. According to SEPS officials, the general cite\nshould be used when there are four or more line items that apply to the\nclassified information.\n\n       The use of security classification guides should facilitate the proper\nand uniform derivative classification of information. SEPS should ensure\nthat all DOJ components understand how to properly use security\nclassification guides to derivatively classify documents. Moreover, we\nbelieve that including specific line items is a good practice to ensure\naccountability for classifying information and also helps facilitates the review\nof classified information during the declassification process. Therefore, SEPS\nshould reinforce to DOJ components its requirement for DOJ components to\ninclude the specific item number of the security classification guide used as\nthe source of the derivative classification decision and clarify that this is\nnecessary for up to four line items when multiple line items are used.\n\nAutomated Classification Marking Tools\n\n       During our review, we identified various automated tools used by DOJ\ncomponents to mark classified information. Each automated tool provided\nDOJ components with a more efficient process for marking classified\ninformation and also provided these components with more assurance that\nclassified information was properly marked.\n\n\n\n                                       36 \n\n\x0c       For example, to help standardize and expedite the classification and\nmarking of national security information, ODNI developed a Classification\nManagement Toolkit (CMT) for use by members of the Intelligence\nCommunity. The CMT is an automated application that classifiers use to\ngenerate and apply classification markings to documents and e-mails,\nincluding a classification banner, classification block, and portion markings.\nCurrently, the CMT is only available to the FBI and DEA for use on their\nclassified networks because these two components are the only DOJ\ncomponents within the Intelligence Community. The CMT is not available to\nany other DOJ components that work with classified information on JCON-S\nor JCON-TS, DOJ\xe2\x80\x99s Secret and Top Secret information sharing networks,\nrespectively.\n\n      Officials from DOJ components without CMT installed on their systems\ninformed us that they were interested in obtaining an automated system\nsuch as CMT. SEPS officials initially told us that DOJ was interested in\nacquiring CMT for all DOJ components, but funding was not available.\nHowever, in May 2013 SEPS began gathering information from the CMT\nProgram Office within ODNI regarding the cost and requirements to\ndetermine CMT\xe2\x80\x99s functionality and the feasibility of installing it for use\nthroughout DOJ.32\n\n       We observed the CMT\xe2\x80\x99s classification marking process and interviewed\nofficials who used the CMT to classify their documents and e-mails. We\nbelieve that the CMT expedites the processing of classifying information and\nimproves compliance with classification guidance by requiring derivative\nclassifiers to include required classification markings on their classified\ndocuments. However, we also found that the use of CMT does not replace\nthe need for oversight and training based on our finding, discussed above,\nthat some derivatively classified FBI documents we reviewed contained\nmarking errors, such as not including the identity of the classifier and\nreferencing outdated source information, despite the fact that the derivative\nclassifiers had used CMT to mark the document.\n\n\n\n\n       32\n            According to an FBI official, the entire program cost of CMT is split between the\n20 Intelligence Community \xe2\x80\x9ccustomers.\xe2\x80\x9d When CMT was first installed, the FBI made an\ninitial outlay of $16,000. According to FBI officials, the FBI has not incurred any costs for\nCMT since the initial outlay because ODNI has covered additional costs for maintenance and\nupgrades. However, an official at the FBI stated that although ODNI has covered\nsubsequent costs for CMT, ODNI recommended that the FBI allocate additional resources for\nCMT just in case ODNI requires an FBI contribution in any given year and to cover any\n\xe2\x80\x9cFBI-specific\xe2\x80\x9d CMT modifications.\n\n\n                                             37 \n\n\x0c      Another automated marking tool we encountered during the audit was\nan automated program based on commercially available technology to assist\nattorneys with drafting FISA applications. The program, developed by the\nOffice of Intelligence at the National Security Division, automatically\nprovides templates for regularly used documents, as well as a classification\nbanner and document portion markings. This program has not been\nadapted for use by other sections within the National Security Division that\ndevelop other types of classified legal documents.\n\n      According to DOJ officials, these automated tools have helped to\nexpedite and standardize the classification marking process for national\nsecurity information. These tools have also assisted DOJ components in\nstreamlining the process for creating standardized classified documents. We\nbelieve that all DOJ components that work with classified information could\nbenefit from using automated classification tools to ensure that classified\ndocuments, in particular classified e-mail communications, are marked\nappropriately. We recommend that SEPS evaluate the possibility of using\nautomated classification tools throughout DOJ.\n\nClassification Protocols and Classified Infrastructure\n\n      DOJ components do not always have adequate infrastructure for\naccessing and sharing classified national security information. For many DOJ\ncomponents, this adds a layer of complexity to working with classified\ninformation.\n\n       For example, an FBI official told us that sometimes the FBI and Central\nIntelligence Agency (CIA) will work with the same human source but may\nclassify the information differently. Typically, the FBI will work with a source\nwhile he or she is in the United States and classify information from the\nsource as either law enforcement sensitive or Secret, depending upon the\nsubject matter. The CIA, in comparison, will work with the same source\nwhile he or she is overseas and classify information pertaining to the source\nas Secret//Sensitive Compartmented Information. Yet, when the agencies\nshare their information with each other, the CIA\xe2\x80\x99s use of the additional\nSensitive Compartmented Information caveat results in the FBI not being\nable to place the CIA\xe2\x80\x99s information on its regular classified system. Instead,\nthe FBI must use an authorized Top Secret system or maintain the\ninformation in paper files. As a result, sharing the information with field\noffices or agents in remote locations can be arduous because not every FBI\nfield office or satellite location has ready access to Top Secret systems.\nTherefore, to get this information to the proper personnel, the FBI must use\nother methods, such as requiring Special Agents to travel to another facility\n\n\n                                       38 \n\n\x0cto access an appropriate system, or relying on other government agencies to\nserve as a conduit for the information.\n\n       One information sharing tool is the use of \xe2\x80\x9ctearlines.\xe2\x80\x9d Tearlines allow\nfor the separation of pieces of information and enable the release of\nclassified intelligence information with less restrictive dissemination controls,\nand, when possible, at a lower classification. The use of tearlines requires\nindividuals to prepare a classified document in a manner such that\ninformation relating to intelligence sources and methods, or other highly\nclassified information, is easily severable to protect such sources and\nmethods from disclosure. We believe that in instances like the one\ndescribed above, the use of tearlines would benefit DOJ components that do\nnot have the proper infrastructure to access certain classified information.\n\n       However, the use of tearlines and similar workarounds is not a\ncomplete solution, as they do not solve the problem that DOJ does not\ncurrently have a comprehensive classified systems infrastructure capable of\nquickly and securely communicating highly classified or sensitive\ncompartmented information to all personnel who may need to receive it. We\ntherefore believe that SEPS should evaluate the current classified\ninfrastructure in place throughout DOJ to determine what improvements are\nneeded for DOJ components, in particular those DOJ components with field\noffices that work with Intelligence Community agencies, to successfully\nclassify, use, and share all types of national security information. Moreover,\nwe believe that DOJ components, especially the FBI and DEA, should convey\nto their Intelligence Community partners the need to provide classified\ninformation in a form that is as accessible as possible, consistent with the\nneed to protect the information, and that they should consider the use of\ntearlines or other information sharing tools designed to increase information\nsharing wherever appropriate. SEPS officials stated that the Intelligence\nCommunity is evaluating tearline reporting and SEPS will convey to all DOJ\ncomponents, through the Security Programs Managers, any guidance\nprovided by the Intelligence Community.\n\nSecurity Education and Training\n\n      During our interviews with DOJ personnel, many DOJ officials\nexpressed a general lack of understanding on how to properly identify and\nmark classified information. DOJ personnel expressed significant confusion\nregarding the appropriate methods for identifying sources of classified\ninformation and marking e-mail correspondence and classified meeting\nnotes. Many DOJ personnel also said that when they were uncertain about\nhow or when to classify and mark information, they were more likely to err\non the side of caution and mark the information as classified.\n\n                                       39 \n\n\x0c       Moreover, few DOJ officials were aware of or used DOJ classification\nresources, including security classification and marking guides, when\nworking with classified information. Instead, DOJ officials informed the OIG\nthat they regularly relied on historical practices and prior knowledge to make\nclassification decisions. In addition, officials explained that if they were\nunsure about how to classify and mark information, they would ask a\ncolleague, who would have experience with the subject matter but may not\nhave the expertise to answer a classification question accurately. We\nbelieve that this lack of understanding and reliance on \xe2\x80\x9chistoric\xe2\x80\x9d processes\nresulted in many of the classification and marking errors we identified.\n\n       To correctly classify information, DOJ personnel need to receive\ncomprehensive training that adequately prepares them to make informed\nclassification decisions when dealing with national security information. DOJ\npersonnel whose duties involve the creation or handling of classified\ninformation are required to take initial and annual refresher classification\ntraining that incorporates procedures for classifying and declassifying\ninformation. However, SEPS and some components within DOJ did not\nmaintain a system that accurately tracked and verified whether individuals\nreceived and completed the required training. According to SEPS, many of\nthe components reported in FY 2012 that original and derivative classifiers\ndid not receive initial or annual refresher training. Moreover, many of the\nFBI, DEA, Criminal Division, and National Security Division officials we\ninterviewed could not identify the training they received and suggested that\na more robust training program would be helpful.\n\n       After reviewing DOJ components\xe2\x80\x99 training programs, as well as the\ntraining offered by SEPS, we found varying degrees of quality and depth.\nThe FBI had the most comprehensive training program. The FBI offered\nongoing instructor-led classification training sessions, as well as electronic\ntraining sessions that incorporated all aspects of the classification process\nand how to manage classified information. In comparison, we found that\nother DOJ components offered self-learning programs with no instructor-led\nportion. Further, some of these training programs did not provide an\nin-depth overview of the classification process, but rather focused on\nprotecting and storing classified information. One of DOJ\xe2\x80\x99s OCA officials who\nreceived classification training through a slide-show format stated that he\nwould have preferred a more interactive live training course because it\nwould have provided him the opportunity to ask questions.\n\n     In FY 2013, SEPS officials recognized the need for training\nimprovements and initiated automated slide-show training programs for DOJ\ncomponents to use for their original and derivative classifiers. According to\n\n                                     40 \n\n\x0cSEPS officials, these training programs incorporated knowledge tests that\nhelp to ensure that at least the most basic elements of classification\nprocedures are understood before an original or derivative classifier receives\ncredit. However, we found that these training programs did not incorporate\nall aspects of security and classification requirements. Of particular note\nwas the absence of an explanation of DOJ\xe2\x80\x99s classification challenge process,\nwhich entitles authorized holders of information to challenge the\nclassification status of the information when the holder, in good faith,\nbelieves that its classification status is improper. We found that many DOJ\nofficials were unaware of DOJ\xe2\x80\x99s formal classification challenge process.\nWhen the OIG informed SEPS about this discrepancy, SEPS officials stated\nthat information relating to classification challenges is detailed in the SPOM\nand individuals are responsible for reading the SPOM, educating themselves\non the classification process, and asking questions of the DOJ component\nSecurity Programs Managers. Although we agree that individuals are\nresponsible for knowing and understanding DOJ\xe2\x80\x99s security policies and\nprocedures as detailed in the SPOM, we also understand that the SPOM is\nmore than 100 pages long and individuals rely on training programs to\ninstruct them on these procedures.\n\n      Another aspect of classification management that was missing from\nDOJ\xe2\x80\x99s training programs was the instruction about what personnel should do\nwhen a source document is either not marked or marked inappropriately. As\npreviously mentioned, we found documents that DOJ officials knew were not\nmarked properly, but these officials stated that they did not know how to\nhandle improperly marked source documents.\n\n       Finally, federal regulations require agencies to emphasize the\nimportance of sharing and classifying information so it can be used to\nmaximum utility. However, the SEPS training programs do not emphasize\nthe importance of ensuring that information is classified at the appropriate\nlevel and not over-classified. Throughout interviews conducted during this\naudit, the OIG found that DOJ personnel were more likely to \xe2\x80\x9cerr on the side\nof caution\xe2\x80\x9d when it came to classifying information. When there was any\ndoubt about whether information should be classified, various DOJ officials in\nseveral components stated that they would most likely classify the\ninformation to avoid the risk of accidently releasing classified national\nsecurity information. These individuals did not express significant concern\nfor the possibility of over-classifying information, and some of these\nindividuals stated \xe2\x80\x93 incorrectly in our view \xe2\x80\x93 that there are no consequences\nfor over-classifying information, but that the consequences for releasing\nclassified materials can be significant.\n\n\n\n                                      41 \n\n\x0c       We attributed many of the classification and marking issues we\nidentified throughout our review to inadequate training. Specifically, we\nbelieve that the individuals responsible for the classification decisions and\napplication of appropriate markings were not sufficiently aware of the\nappropriate requirements because the training available throughout DOJ did\nnot provide its personnel with the comprehensive knowledge regarding\nclassification policies, procedures, and requirements needed to operate an\neffective classification management system. According to SEPS officials,\nresource constraints have negatively impacted their ability to operate a\nrobust security education and awareness training program. We recommend\nthat SEPS work with DOJ components, specifically the Security Programs\nManagers, to enhance classification training programs to ensure that all\npersonnel are aware of policies, procedures, and requirements for classifying\nnational security information.\n\nClassification of Otherwise Unclassified Information\n\n       DOJ has both national security and law enforcement responsibilities.\nDuring our review, we found that when the DEA develops intelligence reports\nfor dissemination to the Intelligence Community it takes unclassified law\nenforcement sensitive information, sanitizes the information to exclude\noperational information and conceal sources and methods, and upgrades the\nclassification of that information to Secret. Therefore, the same piece of\ninformation can exist as unclassified law enforcement sensitive information\nin a DEA case file and as classified information in a DEA intelligence report.\nA DEA official explained that this information must be classified when it is\ndisseminated to the Intelligence Community because it always has a foreign\nnexus and any compromise of this type of information may affect the DEA\xe2\x80\x99s\noperations, sources, and relations with foreign services, and would be\ndamaging to U.S. interests. In addition, this DEA official explained that the\nDEA\xe2\x80\x99s classification practice is also based on the mosaic theory of\nclassification, where individual unclassified facts can add up to classified\nfacts when looked at in the aggregate. For example, according to this DEA\nofficial the fact that operationally derived information is routed to the\nIntelligence Community can elevate the classification level, as it can reveal\ninformation on the scope of the DEA\xe2\x80\x99s operations in particular areas.\n\n      Although we understood the DEA\xe2\x80\x99s concerns regarding the sharing of\ninformation, we also believed that this practice could cause the\nover-classification of information. The OIG reviewed the DEA intelligence\nreports and questioned the classification of the information in these reports,\nas well as the DEA\xe2\x80\x99s overall practice of classifying law enforcement sensitive\ninformation when it is shared with the Intelligence Community. In response,\na DEA official informed us that the DEA\xe2\x80\x99s policy was in-line with DOJ and\n\n                                     42 \n\n\x0cODNI policies for classifying information. Nevertheless, the OIG also\nbrought this classification practice to the attention of both SEPS and DOJ\xe2\x80\x99s\nDepartment Review Committee (DRC), which functions as DOJ\xe2\x80\x99s oversight\nentity in resolving issues related to the implementation of EO 13526,\nincluding those issues concerning over-classification. Both SEPS and the\nDRC upheld the classification status of the DEA\xe2\x80\x99s intelligence reports, as\nthese entities agreed that the mosaic theory of classification applied to DEA\nintelligence reports when combined with the fact that the reports were being\nshared with the Intelligence Community. However, SEPS and DEA officials\nacknowledged that certain portions within the classified intelligence reports\nwere classified incorrectly.\n\nRecommendations\n\nWe recommend that SEPS:\n\n     1.\t   Explain to DOJ components the importance of reducing the\n           number of OCA officials and have DOJ components re-examine\n           their number of OCA officials.\n\n     2.\t   Review all DOJ security classification guides and work with\n           Security Programs Managers and OCA officials to identify and\n           reduce redundancies and to ensure that instructions are clear,\n           precise, consistent, and provide derivative classifiers with\n           sufficient information to make accurate classification decisions.\n\n     3.\t   Work with DOJ component Security Programs Managers to\n           ensure that OCA officials understand the difference between\n           original and derivative classification decisions and properly mark\n           classified information according to the proper requirements of\n           the classification decisions.\n\n     4.\t   Ensure that ODNI\xe2\x80\x99s ORCON-specific training is promulgated to\n           DOJ components once it is issued and coordinate with the DEA\n           Security Programs Manager and officials representing all DEA\n           entities using the ORCON control markings to ensure that DEA\xe2\x80\x99s\n           use of dissemination control markings is appropriate.\n\n     5.\t   Ensure that all DOJ components are aware of and understand\n           how to apply classification resources and markings, in particular,\n           security classification guides, the CAPCO manual, and required\n           FISA-specific dissemination controls, as appropriate.\n\n\n\n                                     43 \n\n\x0c6.\t    Review the DOJ Marking Classified National Security Information\n       guide and incorporate comprehensive instruction for marking all\n       types of classified products, including e-mail correspondence and\n       meeting notes.\n\n7.\t    Reinforce to DOJ components its requirement to include the\n       specific item number of the security classification guide used as\n       the source of the derivative classification decision and clarify that\n       this is necessary for up to four line items when multiple line\n       items are used.\n\n8.\t    Evaluate the possibility of using automated classification tools\n       throughout DOJ.\n\n9.\t    Determine what classified infrastructure enhancements are\n       needed for DOJ components, in particular those DOJ components\n       with field offices that work with Intelligence Community\n       agencies, to successfully use and share appropriate types of\n       classified information.\n\n10.\t   Work with DOJ components to enhance classification training\n       programs to ensure that all personnel are aware of policies,\n       procedures, and requirements for classifying national security\n       information.\n\n\n\n\n                                 44 \n\n\x0cII.   DOJ CLASSIFICATION OVERSIGHT AND MANAGEMENT\n\n      SEPS is responsible for managing and developing DOJ policy for\n      classified national security information. SEPS has developed\n      oversight and review processes for classified national security\n      information, as directed by EO 13526, but has not successfully\n      implemented those processes because of insufficient resources,\n      deficient oversight, and inadequate assistance from DOJ\n      components. For example, SEPS has developed a mechanism\n      for collecting information regarding classification decisions by\n      DOJ components and has executed a self-inspection program\n      throughout DOJ. However, we found that DOJ components\n      provided incorrect information to SEPS because they were\n      uncertain of all reporting requirements.\n\nSEPS Classification Management and Oversight\n\n       As the designated DOJ Department Security Officer, the Director of\nSEPS is responsible for managing and developing the policy for DOJ\xe2\x80\x99s\nclassified national security information and ensuring DOJ\xe2\x80\x99s organizational\ncompliance with classification laws, regulations, and directives, as\nappropriate. To accomplish this task, SEPS has promulgated the Security\nProgram Operating Manual (SPOM), which provides the foundation for DOJ\xe2\x80\x99s\nsecurity and classification management program.\n\n       With nearly 60,000 personnel authorized to potentially access and\nderivatively classify national security information, SEPS\xe2\x80\x99s responsibilities are\nsignificant. Previous reviews conducted in 2006 by the Government\nAccounting Office (GAO) and NARA\xe2\x80\x99s Information Security Oversight Office\nfound that SEPS lacked adequate resources to implement DOJ\xe2\x80\x99s security\nclassification program. During our audit, SEPS officials expressed concern\nthat while EO 13526, the Reducing Over-Classification Act, and other\nmandates that are unrelated to classification have substantially increased\nSEPS\xe2\x80\x99s responsibilities over the past few years, SEPS has not received any\nadditional resources to fulfill those obligations. These officials stated that\nthe resource constraints necessarily limit the effectiveness of their oversight\nand management of DOJ\xe2\x80\x99s security and classification program.\n\n      SEPS\xe2\x80\x99s classification program activities do appear to be understaffed.\nSEPS has only one classification subject matter expert who, in addition to\nbeing responsible for overseeing the development and review of DOJ\xe2\x80\x99s\nsecurity classification guides, is also responsible for the coordination and\n\n\n\n                                       45 \n\n\x0cdevelopment of DOJ\xe2\x80\x99s declassification guide and procedures.33 Additionally,\nSEPS has only staffed a single 4-person team responsible for conducting\non-site compliance reviews of DOJ\xe2\x80\x99s 3,500 facilities and 115,000 employees\nto ensure compliance with DOJ security policies and classification practices.\nMoreover, these compliance reviews do not focus exclusively on classification\nand marking procedures, but also include evaluations of physical, personnel,\ncontractor, and document security; information technology; communications\nand operations; occupant emergency; continuity of operations; and safety\nand health programs.\n\n       Due to a lack of in-house resources, SEPS relies heavily on each\ncomponent\xe2\x80\x99s designated Security Programs Manager, who oversees the\ncomponent\xe2\x80\x99s internal security review programs and manages the associated\nsecurity processes. According to SEPS officials, however, many Security\nPrograms Managers do not have the appropriate background to manage the\nbreadth of their component\xe2\x80\x99s security programs. These SEPS officials told us\nthat some DOJ components assign the Security Programs Manager function\nto personnel as a collateral responsibility and do not devote adequate\nresources to train them on proper classification procedures. Some SEPS\nofficials told us that these problems result in a high turnover rate for\nSecurity Programs Managers, which makes it difficult for SEPS to effectively\ncoordinate and oversee the implementation of security policies and\nprocedures.\n\n       During our review we found weaknesses in SEPS\xe2\x80\x99s execution of\nclassification management requirements, including oversight of classified\ninformation and special access programs, classification reporting\nrequirements, annual self-inspection reports, oversight of compromises to\nclassified information, and implementation of regulatory requirements.\nMoreover, we identified that SEPS did not fully implement certain\nclassification program requirements in accordance with EO 13526. We\nbelieve that some, but not all of these weaknesses resulted from or were\nexacerbated by resource constraints at SEPS.\n\nSpecial Access Programs\n\n       Another weakness that the OIG found involved DOJ components\nparticipating in Special Access Programs (SAP) unbeknownst to SEPS. A SAP\nis a program established for a specific class of classified information and\n\n\n\n      33\n        United States Department of Justice Automatic Declassification Guide,\nNovember 2012.\n\n\n                                           46 \n\n\x0cdesigned to impose safeguarding requirements that exceed those normally\nrequired for information at the same classification level.\n\n       During the course of our review, we found that the FBI was\nparticipating in an Intelligence Community SAP since 1999 and the DEA was\nparticipating in an Intelligence Community SAP with read-on procedures\nsince 1991.34 SEPS officials explained that both of these programs fall under\nthe purview of the Intelligence Community and SEPS does not have any\nadditional required oversight over these programs. However, SEPS officials\nalso stated that as the entity responsible for ensuring DOJ\xe2\x80\x99s compliance with\nclassification management procedures, SEPS should ideally be aware of all\nSAP programs that DOJ components operate, even if those programs fall\nunder the auspices of the Intelligence Community. Therefore, in order to\nensure that SEPS has a comprehensive understanding over DOJ\xe2\x80\x99s\nclassification management program, we recommend that SEPS establish a\npolicy for DOJ components to alert SEPS to its participation in SAPs that are\noverseen by the Intelligence Community.\n\nClassification Program Reporting Requirements\n\n       SEPS annually prepares and submits to NARA\xe2\x80\x99s Information Security\nOversight Office certain metrics on the number of DOJ classification\ndecisions, number of challenges to DOJ classification decisions, DOJ\nclassification training, and the associated costs of maintaining DOJ classified\ninformation. SEPS relies on the components to self-report the above\ninformation. Yet we found that although SEPS has collected this information\nas required, it has not verified the accuracy of the information reported even\nthough some of the information submitted by components was\nquestionable.35 SEPS officials believe that Security Programs Managers\nmust ensure that these reports contain accurate and reliable information\nbefore they submit them to SEPS. However, we found that DOJ components\ndid not receive enough guidance on how to report the number of classified\n\n       34\n           When an OCA official(s) determines that certain classified information requires\nadditional safeguarding, agencies will implement \xe2\x80\x9cread-on\xe2\x80\x9d procedures to limit the number\nof persons with access to the information and control dissemination of the information.\n       35\n            In FY 2012, the Criminal Division reported to SEPS that two personnel from one\nsection generated 185 classification decisions through e-mail. However, when we requested\na listing of the classification decisions, an official within the section said that she included all\nclassified e-mail in the total derivative classification decisions \xe2\x80\x93 regardless of whether she\nwas the originator of the initial e-mail. This official was unaware that only the initial e-mail\nin a string of e-mails should be counted as a classification decision. As a result, this official\nsaid that the majority of the derivative classification decisions that were reported to SEPS\nwere reported in error.\n\n\n                                                47 \n\n\x0cdecisions. Some component officials acknowledged that for FY 2012 they\nreported an incorrect number of classified decisions because they were\nunclear about the reporting requirements.\n\nSelf-Inspections\n\n       As required by EO 13526, in 2011 SEPS established a self-inspection\nprogram to help oversee DOJ\'s classified national security information\nprogram. To implement the DOJ self-inspection program, SEPS provided a\nself-inspection checklist that required DOJ components to evaluate\nadherence to classification principles and compliance with requirements\ncovering original classification, derivative classification, declassification,\nsafeguarding national security information, security violations, security\neducation and training, and management and oversight. The\nself-inspections also require DOJ components to conduct annual reviews of\ntheir relevant security directives and instructions, examine a representative\nsample of their original and derivative classification decisions, and interview\nproducers and users of classified information. Since FY 2011, SEPS has\nreported the results of the self-inspection program to NARA\xe2\x80\x99s Information\nSecurity Oversight Office.\n\n       We reviewed a sample of DOJ components\xe2\x80\x99 self-inspection reports and\nidentified significant methodological errors. Some components reported that\nthey had performed a review of classified documents, but the review\nprocedure described in the report only entailed physical security reviews of\noffices and facilities and did not mention any type of document review. The\nOIG verified with some Security Programs Managers that they only\nconducted informal reviews that did not evaluate the classification and\nmarking of documents. In addition, we found that some components did not\nconduct annual reviews, as directed, but conducted reviews on a tri-annual\nbasis. Moreover, some components did not answer all of the questions\nincluded in the self-inspection checklist, which could indicate that the\nself-inspection review was incomplete.\n\n      SEPS officials were aware of the incompleteness and inaccuracies\nfound in the components\xe2\x80\x99 self-inspection\xe2\x80\x99s reports in FYs 2011 and 2012\nwhen they were initially submitted, reviewed by SEPS officials, and\nconsolidated into DOJ\xe2\x80\x99s report to NARA\xe2\x80\x99s Information Security Oversight\nOffice. However, SEPS did not follow up with DOJ components at the time to\nensure that these reports contained the most reliable information. According\nto SEPS officials, this was due to its resource constraints and that only one\nspecialist oversees the self-inspections reporting process and that the\nresponsibility is a collateral duty.\n\n\n                                      48 \n\n\x0c       In March 2013, SEPS implemented monthly focus meetings for\nSecurity Programs Managers to assist in implementing classification policies\nand procedures, including the self-inspection requirement. SEPS officials\nbelieve that these meetings will improve the management of security\nmatters in DOJ, including the accuracy and reliability of the self-inspection\nreports. We recommend that, in addition, SEPS should evaluate its\noversight of the self-inspections process to ensure that DOJ improves the\nreliability of information in its reports to NARA\xe2\x80\x99s Information Security\nOversight Office.\n\nOversight of Compromised Classified Information\n\n       As required by NARA\xe2\x80\x99s Information Security Oversight Office\xe2\x80\x99s\nClassified National Security Information directive, SEPS established\nprocedures to conduct inquiries into any reported loss, possible compromise,\nor unauthorized disclosure of classified information. The DOJ SPOM requires\nthat DOJ components must report all of these incidents to SEPS through the\ncomponent-level Security Programs Manager. Despite this requirement, we\nidentified a significant incident at the FBI that was not reported to SEPS.\n\n       According to FBI officials, in 2010 the FBI incorrectly entered Top\nSecret information from an Intelligence Community agency into a\nSecret-level FBI database used to track terrorist threats. The incident was\nidentified when an FBI employee was informed by the Intelligence\nCommunity agency that certain information, when combined, was classified\nat the Top Secret level. As part of this review, in March 2013 the OIG\nlearned of the incident followed up with the FBI to determine whether the\nclassified information had been removed from the Secret database and\nwhether the classified information might also have been inappropriately\nincluded in other FBI systems. FBI officials told us that they were not\ncertain whether the information was included in other FBI systems.\nUltimately, it was not until July 2013, approximately 3 years after the\nincident and after multiple inquiries by the OIG, that the FBI completed the\nremoval of the information from other FBI systems.\n\n      Notably, we found that the FBI did not inform SEPS of the\ncompromise. In August 2013, after the OIG inquired about why the FBI had\nnot met its responsibility to notify SEPS of the incident, the FBI officials\ninformed us that they would notify SEPS that month. According to the FBI,\nthe FBI\xe2\x80\x99s inability to meet this specific requirement was the result of limited\nresources responsible for reporting incidents to SEPS, as well as the lack of\nan enhanced, automated, and standardized reporting system at the time of\nthe incident. We believe that this discrepancy was also, in part, the result of\nthe FBI\xe2\x80\x99s Security Programs Manager not following specific requirements, as\n\n                                      49 \n\n\x0cdefined by SEPS, and this underscores the need for better oversight of\nclassification procedures. Therefore, we recommend that SEPS review DOJ\ncomponents\xe2\x80\x99 procedures for reporting compromises of classified information\nand reinforce to Security Programs Managers the importance of reporting\ncompromises of classified information to SEPS. SEPS officials stated that in\nearly 2014, SEPS will provide Security Programs Managers with more robust\ntraining in this area.\n\nDOJ Implementation of Regulatory Requirements\n\n       As part of the oversight of DOJ\xe2\x80\x99s classification management program,\nSEPS is responsible for ensuring that policies and procedures comply with all\nregulations and federal requirements. Although DOJ established\nclassification policies and procedures to ensure that information is classified\nand disseminated appropriately, we found some instances where DOJ did not\nadequately address the following requirements of EO 13526.\n\n      \xef\x82\xb7\t The DOJ SPOM does not explicitly include a statement that all\n         individuals are free from retribution for challenging the\n         classification of information.\n\n      \xef\x82\xb7\t The DOJ SPOM does not discuss the process of transferring\n         ownership of classified information with a transfer of functions.\n         Such a discussion would be relevant, for example, when DOJ closes\n         an office that handles classified information, as it did in 2012 when\n         it closed the National Drug Intelligence Center and transferred all\n         classified information belonging to that office to another agency.\n\n      \xef\x82\xb7\t Not all DOJ components incorporated classification management\n         into performance plans and evaluations for OCA officials, derivative\n         classifiers, and security programs officials.\n\n      \xef\x82\xb7\t DOJ did not publish the updated Mandatory Declassification Review\n         processes in the Federal Register.\n\n      In addition, we found that the DOJ SPOM was not updated in a timely\nmanner to correspond with certain ongoing DOJ classification practices.\nSpecifically, although SEPS drafted procedures relative to controls over a\nparticular classified program, it had not finalized those procedures and\nadded them to the DOJ SPOM.\n\n      In response to the weaknesses identified above, SEPS officials stated\nthat Security Programs Managers were instructed through memorandum, as\nwell as during the self-inspection process, to incorporate classification\n\n                                      50 \n\n\x0cmanagement in performance plans for OCA officials, derivative classifiers,\nand security programs officials. In addition, SEPS officials stated that the\nprocess of transferring ownership of classified information with a transfer of\nfunctions is the responsibility of DOJ components\xe2\x80\x99 Records Management\nDivisions. Moreover, SEPS officials do not believe that this process is\nsignificant to DOJ\xe2\x80\x99s security programs or the overall classification\nmanagement program. Nevertheless, EO 13526 and its implementing\ndirective explicitly discuss the process for transferring information for\nagencies that cease to exist. Therefore, we believe that the SPOM should\ninclude this subject area and inform DOJ employees that, within DOJ, the\nprocedures components are required to follow when transferring ownership\nof classified information are a records management function and direct the\nreader to additional reference material.\n\n        According to SEPS officials, it has limited resources dedicated to\nclassification management. Therefore, we believe that certain tasks, such as\ntimely updates and reviews of enacted policies and procedures, are not\nalways highly prioritized by SEPS. Although these specific discrepancies may\nnot directly attribute to the misclassification of information, we believe that\nit is important that SEPS ensure that DOJ is in compliance with all regulatory\nrequirements.\n\nRecommendations\n\nWe recommend that SEPS:\n\n      11.\t   Establish a policy for DOJ components to alert SEPS to\n             participation in SAPs that are overseen by the Intelligence\n             Community.\n\n      12.\t   Evaluate its oversight of the self-inspections process to ensure\n             that DOJ improves the reliability of information in its reports to\n             NARA\xe2\x80\x99s Information Security Oversight Office.\n\n      13.\t   Review DOJ component\xe2\x80\x99s procedures for reporting compromises\n             of classified information and reinforce to Security Programs\n             Managers the importance of reporting compromises of classified\n             information to SEPS.\n\n      14.\t   Incorporate in the SPOM a reference to the procedures DOJ\n             components are required to follow when transferring ownership\n             of classified information.\n\n\n\n                                       51 \n\n\x0c              STATEMENT ON INTERNAL CONTROLS\n\n       As required by Government Auditing Standards, we tested, as\nappropriate, internal controls significant within the context of our audit\nobjectives. A deficiency in an internal control exists when the design or\noperation of a control does not allow management or employees, in the\nnormal course of performing their assigned functions, to timely prevent or\ndetect: (1) impairments to the effectiveness and efficiency of operations,\n(2) misstatements in financial or performance information, or (3) violations\nof laws and regulations. Our evaluation of internal controls for the Justice\nManagement Division, FBI, DEA, National Security Division, Criminal\nDivision, and USMS was not made for the purpose of providing assurance on\nthe agencies\xe2\x80\x99 internal control structures as a whole. The management of\nthese DOJ components is responsible for the establishment and maintenance\nof internal controls.\n\n       Through our audit testing, we identified internal controls deficiencies\nwithin SEPS\xe2\x80\x99s oversight of DOJ\xe2\x80\x99s classification management program. Based\nupon the audit work performed we believe that SEPS lacks the controls\nnecessary to effectively oversee DOJ components\xe2\x80\x99 compliance with certain\nclassification reporting requirements and their implementation of security\nclassification procedures. These matters are discussed in detail in the\nFindings and Recommendations sections of our report.\n\n       Because we are not expressing an opinion on internal control\nstructures as a whole for the Justice Management Division, FBI, DEA,\nNational Security Division, Criminal Division, and USMS, this statement is\nintended solely for the information and use of DOJ components involved in\nthis review. This restriction is not intended to limit the distribution of this\nreport, which is a matter of public record.\n\n\n\n\n                                       52 \n\n\x0c                   STATEMENT ON COMPLIANCE\n\n                  WITH LAWS AND REGULATIONS \n\n\n      As required by the Government Auditing Standards, we tested, as\nappropriate given our audit scope and objectives, records, procedures, and\npractices, to obtain reasonable assurance that management for the Justice\nManagement Division, FBI, DEA, Criminal Division, and National Security\nDivision complied with federal laws and regulations, for which\nnoncompliance, in our judgment, could have a material effect on the results\nof our audit. The management for these entities is responsible for ensuring\ncompliance with applicable federal laws and regulations. In planning our\naudit, we identified the following laws and regulations that were significant\nwithin the context of the audit objectives:\n\n      \xef\x82\xb7\t    Public Law 111-258 (2010), The Reducing Over-Classification Act\n\n      \xef\x82\xb7\t    Executive Order 13526, Classified National Security Information,\n            December 29, 2009\n\n      \xef\x82\xb7\t    32 CFR Part 2001 and 2003 Part V Classified National Security\n            Information; Final Rule (2010)\n\n       Our audit included examining, on a test basis, the auditees\xe2\x80\x99\ncompliance with the aforementioned laws and regulations that could have a\nmaterial effect on these DOJ components\xe2\x80\x99 operations. We accomplished this\ntask by reviewing classification policies, procedures, and practices;\nidentifying and analyzing documentation related to classification\nmanagement, including training programs and self-inspection reports;\ninterviewing personnel who oversee classification programs and who are\nresponsible for classifying information; and testing classified documents to\nensure they comply with all classification requirements. We did not identify\nany issues that caused us to believe that the FBI, DEA, Criminal Division,\nand National Security Division were not in compliance with the\naforementioned laws and regulations.\n\n       In general, the Justice Management Division was in compliance with\nthese applicable laws and regulations. However, we found that the Justice\nManagement Division did not fully implement certain requirements. DOJ did\nnot comply with the EO 13526 requirement to include in its implementing\npolicy \xe2\x80\x93 the Security Program Operating Manual (SPOM) \xe2\x80\x93 a statement that\nall individuals are free from retribution for challenging a document. In\naddition, EO 13526 directed agencies to include Mandatory Declassification\nReview processes in the Federal Register, which DOJ had not fulfilled at the\ntime of the OIG\xe2\x80\x99s review because it did not publish the most up-to-date\n\n                                     53 \n\n\x0cMandatory Declassification processes. Finally, the DOJ SPOM does not\ndiscuss the process of transferring ownership of classified information with a\ntransfer of functions, as required by EO 13526. These issues are identified\nin the Findings and Recommendations sections of our report.\n\n\n\n\n                                      54 \n\n\x0c                                                              APPENDIX I \n\n\n      AUDIT OBJECTIVES, SCOPE, AND METHODOLOGY\n\nAudit Objectives\n\n      As mandated by Congress, the DOJ OIG conducted an audit to\nevaluate policies and procedures implemented by DOJ for its classification\nmanagement program. Specifically, P.L. 111\xe2\x80\x93258 (2010), the Reducing\nOver-Classification Act required that:\n\n      The Inspector General of each department or agency of the\n      United States, with an officer or employee who is authorized to\n      make original classifications, shall carry out no less than two\n      evaluations of that department or agency or a component of the\n      department or agency to: (1) assess whether applicable\n      classification policies, procedures, rules, and regulations have\n      been adopted, followed, and are effectively administered within\n      such department, agency, or component; and (2) identify\n      policies, procedures, rules, regulations, or management practices\n      that may be contributing to persistent misclassification of\n      material within such department, agency, or component.\n\nScope and Methodology\n\n      We conducted this congressionally mandated review in accordance\nwith generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\n        The Reducing Over-Classification Act directed that the Inspectors\nGeneral consult with NARA\xe2\x80\x99s Information Security Oversight Office and each\nother throughout the evaluations and coordinate amongst themselves to\nensure that the evaluations follow a consistent methodology for report\ncomparison. Pursuant to this mandate, the ODNI Office of Inspector General\nalong with the Department of Defense Inspector General coordinated and\nfacilitated a working group to develop a standard evaluation guide that we\nused as a basis for our evaluation.\n\n       To accomplish our objectives, we conducted over 100 interviews with\nofficials from the Justice Management Division, National Security Division,\nCriminal Division, FBI, DEA, and USMS located in and near\n\n\n                                     55 \n\n\x0cWashington, D.C., as well as at the FBI\xe2\x80\x99s Chicago and Washington field\noffices and the DEA\xe2\x80\x99s Chicago Division.\n\n      Our testing included selecting and reviewing a judgmental sample of\n141 original and derivative classification decisions made by the National\nSecurity Division, Criminal Division, FBI, and DEA. We chose these DOJ\ncomponents because their classification decisions comprised a substantial\npercentage of all classification decisions made by DOJ components with an\nOCA official in FY 2012. Our sample selection methodologies were designed\nto give us a broad exposure of different classification decisions.\nFurthermore, the selection methodologies were not designed with the intent\nof projecting our results to the populations from which the samples were\nselected.\n\n      In addition, although the OIG has an OCA official and reported\nderivative classification decisions during our audit period, we excluded the\nOIG from our review to avoid a conflict of interest. The exclusion of the OIG\nfrom our audit work did not affect the results of our audit because the OIG\ndid not meet the classification decision threshold we established for selecting\nDOJ components to review.\n\nClassified Document Universe\n\n     The following table identifies the different types of classified\ndocuments that the OIG reviewed. As shown, our review provided a broad\nexposure to the different types of classification decisions made by DOJ\ncomponent officials.\n\n                     Classified Documents Reviewed\n                                              National\n                                                          Criminal\n        Document Type              FBI        Security                DEA   Total\n                                                           Division\n                                               Division\nE-mail                              1               0          6       0     7\nCourt Document                      0               4         15       0    19\nMemorandum                          7              21          4       0    32\nCongressional Report                3               1          0       0     4\nFISA Application                    0               4          0       0     4\nOther Report                        0               1          0       0     1\nIntelligence Information Report     8               0          1      11    20\nInvestigative Leads                 0               0          0      17    17\nFBI Electronic Communication       37               0          0       0    37\nTotal Documents                    56              31         26      28    141\nSource: OIG Analysis of DOJ Components\xe2\x80\x99   Classified Documents\n\n\n\n\n                                          56 \n\n\x0c      National Security Division \xe2\x80\x93 To identify a sample of classified\ndocuments, we requested from the National Security Division Security\nPrograms Manager a breakdown of both originally and derivatively classified\ndecisions by all National Security Division offices in FY 2012 to determine\nwhich National Security Division offices made the most classification\ndecisions. The Security Programs Manager informed the OIG that the\nNational Security Division\xe2\x80\x99s Counterterrorism Section, Counterespionage\nSection, and Office of Intelligence made the majority of the derivative and\noriginal classification decisions during FY 2012.\n\n       We requested that officials from the aforementioned offices provide\nthe OIG with a list of classified decisions made during the last quarter of\nFY 2012. From these lists, we selected a judgmental sample of 11 originally\nclassified decisions and 20 derivatively classified decisions that included\nSecret and Top Secret reports, FISA-related documents, and memoranda.\nWe also interviewed National Security Division officials who were the\nclassifiers or the managers of employees who classified the sample\ndocuments to identify reasons for classification or marking errors.\n\n       Criminal Division \xe2\x80\x93 To identify a sample of classified documents, we\nrequested from the Criminal Division Security Programs Manager a\nbreakdown of both originally and derivatively classified decisions by all\nCriminal Division offices in FY 2012. From the information provided, we\nidentified that the Drug Intelligence Unit and the Human Rights and Special\nProtections Section made the majority of Criminal Division\xe2\x80\x99s original and\nderivative classification decisions during FY 2012.\n\n       We requested that officials from the Drug Intelligence Unit and the\nHuman Rights and Special Protections Section provide the OIG with a list of\nclassified decisions made during the last quarter of FY 2012. From these\nlists, we selected a judgmental sample of 10 originally classified documents\nand 16 derivatively classified documents that included Secret and Top Secret\nreports, court documents, e-mails, and memoranda. We also interviewed\nCriminal Division officials from the aforementioned offices who were the\nclassifiers or the managers of employees who classified the sample\ndocuments to identify reasons for classification or marking errors.\n\n       Federal Bureau of Investigation \xe2\x80\x93 The FBI reported its derivatively\nclassified decisions for FY 2012 were based on a statistical projection. The\nFBI\xe2\x80\x99s statistical projection was developed from a random sample method\nimplemented to determine a reasonable estimate for the total number of\nderivative classifications that were made over the 1-year period. Because\nthe universe was an estimated projection, there was no list of actual\nclassified decisions from which to select a judgmental sample of documents.\n\n                                     57 \n\n\x0c      To overcome the limitation of not having a universe to choose from,\nthe OIG requested a list of operational areas that create the most classified\ndecisions. The FBI informed the OIG that the Counterterrorism Division,\nCounterintelligence Division, Cyber Division, and the Weapons of Mass\nDestruction Division create the most classified decisions.\n\n       The OIG requested a list of all cases that were open in the four FBI\noperational areas during the last quarter of FY 2012 in Chicago, Illinois;\nWashington, D.C.; and FBI headquarters. The FBI provided a listing of cases\nthat were opened during the last quarter of FY 2012 in the selected\noperational areas and locations. From this listing of cases opened during\nFY 2012, the OIG judgmentally selected a sample of cases for review.\nAlthough the number of cases that were opened during the period was\nsignificantly lower than the number of cases that were open during the\nperiod, the OIG determined that the number of cases opened during the\nperiod was of sufficient number from each division and location to provide a\nbroad range of documents for review.\n\n       From the listing of cases selected for review, the OIG then requested a\nlisting of the classified documents associated with each selected sample\ncase. From the listing of documents, the OIG judgmentally selected\nclassified documents to review.\n\n       The OIG requested an additional list of all Intelligence Information\nReports prepared by the FBI\xe2\x80\x99s Directorate of Intelligence in the last quarter\nof FY 2012. From this list, the OIG judgmentally selected a sample of\nclassified Intelligence Information Reports created by FBI officials in\nheadquarters and field offices to review.\n\n      The OIG also requested a listing of all reports containing\nFBI-generated classified information that were issued to Congress during the\nlast quarter of FY 2012. From this list, the OIG judgmentally selected a\nsample of Congressional reports to review.\n\n      Finally, the OIG reviewed FBI documents that had been referenced as\nsource documents during reviews of other components. In total, the OIG\nreviewed 56 derivatively classified documents and interviewed over\n25 individuals from these operational areas and offices. The classified\ndocuments we reviewed included reports, case file documents, Intelligence\nInformation Reports, e-mails, and memoranda. These documents included\nTop Secret, Secret, and Confidential classified documents.\n\n\n\n                                      58 \n\n\x0c       Drug Enforcement Administration \xe2\x80\x93 To identify a sample of classified\ndocuments, we requested from the DEA Office of Security Programs a\nuniverse of both originally and derivatively classified decisions by all DEA\noffices. From the universe provided, we identified that the Office of National\nSecurity Intelligence, the Special Operations Division, and the Office of\nSpecial Intelligence made the majority of DEA\xe2\x80\x99s original and derivative\nclassification decisions during FY 2012.\n\n       We requested that officials from the aforementioned DEA offices\nprovide the OIG with a list of classified decisions made during the last\nquarter of FY 2012. From these lists, we selected a judgmental sample of\n4 originally classified documents that included Secret investigative leads and\n24 derivatively classified documents that included Confidential and Secret\nintelligence information reports and other standard reports. We also\ninterviewed DEA officials from these sections who were the classifiers or the\nmanagers of employees who classified the sample documents to identify\nreasons for classification or marking errors.\n\nTesting Process\n\n       To evaluate original classified decisions we reviewed each decision to\nensure it met the criteria as mandated by EO 13526, 32 CFR Part 2001 and\n2003, the Information Security Oversight Office\xe2\x80\x99s Marking Classified National\nSecurity Information booklet, and for DOJ entities that were part of the\nIntelligence Community, the CAPCO Manual.\n\nTesting of Classification Decisions\n\n       Original classification decisions are used only for previously\nunclassified information and should not be based on a prior classified\ndecision as found in a source document or relevant security classified guide.\nWhen making derivative classification decisions, derivative classifiers must\nobserve and respect the original classification decision and carry forward to\nany newly created document the pertinent classification markings from the\nsource document(s) or the security classification guide. The derivative\nclassification decisions must also include a classification block, a\nclassification banner that reflects the highest classification level of the\ninformation contained in the document and appropriate dissemination\ncontrols found in the document, and each portion of the document shall be\nmarked with the classification level and any dissemination controls from\neither source document(s) or a security classification guide.\n\n     We reviewed a sample of DOJ original classification decisions to\ndetermine if these decisions were the first instance of classification and if the\n\n                                       59 \n\n\x0cclassification reason provided was consistent with the EO 13526\nrequirements. As identified in the Findings and Recommendations sections\nof this report, we found discrepancies with the original classification\ndecisions we reviewed.\n\n       In addition, we conducted a review of the classified information in the\noriginally classified documents to assess whether it appeared to meet the\nlevel of classification assigned to it and if the reason assigned to it was\naccurate. Moreover, we reviewed the classified information in the derivative\nclassification decisions to assess whether the classification level\ncorresponded to the source documents and appeared to meet the level of\nclassification assigned. In instances we identified as potential\nmisclassification, we discussed our concerns with the classifier. In most of\nthese instances the classification of information appeared to be justified, but\nas explained in the Findings and Recommendation sections of the report we\nidentified a small number of documents that contained over-classified\ninformation.\n\n       Exhibit I-3 provides an overview of the classification marking\nrequirements that the OIG evaluated for DOJ\xe2\x80\x99s original and derivative\nclassification decisions. We reviewed DOJ classified documents to ensure\nthat these markings were present and included all of this information and if\nthe markings were appropriate for the information contained in the\ndocuments. For our evaluation of derivatively classified decisions, we\nensured that the derivatively classified documents included the accurate and\ncomplete markings, as identified above. In addition, we reviewed these\ndecisions to determine if dissemination and control markings were\nappropriately carried over from the source document(s) or security\nclassification guide. As explained in the Findings and Recommendations\nsections, we found marking errors that we brought to the attention of DOJ\nofficials.\n\n\n\n\n                                      60 \n\n\x0c                                                                                                         APPENDIX II \n\n\n                        CLASSIFIED DOCUMENT MARKING REQUIREMENTS \n\n\n                                                              Overall\n                                                           Classification\n                                                             Markings\n\n\n\n\n                                                                                                              Portion\n       Portion                                                                                               Markings\n      Markings\n\n\n\n\n                                                                                                                 Derivative\n                                                                                                                Classification\n   Original\n                                                                                                                    Block\nClassification\n    Block\n\n                                                                                                                   Overall\n                                                                                                                Classification\n                                                                                                                  Markings\n\n Source: NARA\xe2\x80\x99s Information Security Oversight Office, Marking Classified National Security Information, December 2010\n (Revision January 1, 2012)\n\n\n                                                             61 \n\n\x0c                                                                                  APPENDIX III \n\n\n             JUSTICE MANAGEMENT DIVISION\xe2\x80\x99S \n\n              RESPONSE TO THE DRAFT REPORT \n\n\n                                                     u.s. Departmcnt or Justicc\n\n\n\n\n        SEP 1 9 2013\n\n\n\nMEMORANDUM FOR RAYMOND 1. BEAUDET\n               ASSISTANT INSPECTOR GENERAL FOR AUDIT\n               OFFICE OF THE INSPECTOR GENERAL\n\nFROM:                    Lee J. Lofthus\n                         Assistant AtlOme~(I.\xc2\xa5~~\n                          for Administmti\n\nSUBJECT:                Audit of the Department of Justice\'s Implementation of\n                        National Security Infonnation Classification Requirements\n\nThis responds to your September 9, 2013 memorandum requesting the agency\'s official response\nto the subject report. The sensitivity review and management representation leners will be\nprovided under separate cover by the Department Security Officer. I appreciate this opportunity\nto provide comments on this report.\n\nWhile the report sample did not find indications of widespread misclassi fication . I concur with\nthe need to strengthen the Department\'s classification management program and ensure greater\nconsistency in Department of Justice (DOl) classification actions. Below arc specific comments\nand proposed corrective actions to the recommendations.\n\n   1. Expla in to OO J (:o mpon l\'nts thl\' impo rta nce of reducing th e numb(:r ofOrigiml)\n      C lassification A ut.hori ty (OCA) officia ls a nd have DOJ l\'omponcnts r e\xc2\xb7C\'Xu minc\n      thdr num ber of ~CA offici wls.\n\n       Agn:e. The Se<:urily and Emergency Planning Starr (SEPS) will continue to work with\n       individual components to ensure lhat their OCA delegations arc evaluated according to\n       lhc DOl Security Program Opemting Manual (SPOM). Section 4\xc2\xb7102 (I) of the SPOM\n       statcs that delegations ofOCA shal l be limited to the minimum required to administer\n       Executive Order 13526, Classified National Security Infonnation. In addition.\n       Section 4\xc2\xb7102 (h) stales that components shull limit requests for OCA to those positions\n       that have a demonstrable and continuing need to exerci~ this authority.\n\n       To address this requirement, the Department Security Ofi\'icer will nOlify all DOJ Security\n       Programs Managers (SPMs) with dclegated OCAs oflhe importance of reducing the\n       number of OCAs, and instruct SPMs to re-examine their OCA delegations for possible\n       reductions by October 4, 2013 .\n\n\n\n\n                                                62 \n\n\x0cMemorandum fo r Raymond J. Beaudet                                                         Page 2\nSubjc<:t: Audit of the Department of Justice\'s Implementation of\n           ational Sc<:urity lnfonnation Classification Requirements\n\n\n\n   2. Review all DOJ sec urity classifica tion g uides and work witb Securi ty Progra ms\n      Manage" a nd OCA orficials to identify and reduce redundancies to ensure that\n      instructions a re clea r, precise, consistent, a nd pro,\'idc deril\'ative classifiers with\n      sufficient information to ma ke accurate classification decisions.\n\n       Agree. DOJ completed its first Fundamental Classification Guidance Review in\n       July 2012. Pcr Executive Order 13526, fundame ntal classification guidance reviews will\n       be conducted on a periodic basis thereafter, but shall be conducted at least once every\n       five years. SEPS is currently working with the National Security Division (N SD) and the\n       United States Marshals Services (USMS) to ensure that the DOJ National Security\n       Infonnation Security Classification Guide is updated and revised to adequately meet the\n       requirements and needs of those components, to include providing clear, precise, and\n       consistent infonnation .\n\n       In addition, SEPS will establish a Security Classification Guide Working Group which\n       will include members from each component with delegated OCA. nus working group\n       will be established prior to November 15, 2013. The working group will review all DOJ\n       security classification guides to ensure that security classification issues mentioned in this\n       report are further identifi ed and resolved in order to provide derivative classi fiers\n       throughout the Department with sufficient information to make accurate classification\n       decisions. Updated and revised classification guides resulting fro m the efforts of the\n       Security Classification Working Group will be disseminated to component SPMs and\n       OCA officials by March 28, 2014.\n\n   3. Work with DOJ component Security Programs Managers to ensure that OCA\n      offi cials understand the difference between original and derivative classification\n      decisions and properly mark classified information according to the prope r\n      req uirements of the classification decisions.\n\n       Agree. SEPS will continue to work with component SPMs to ensure that DCA officials\n       understand proper classification marking requirements and will funher educate the OCAs\n       regard ing the difference between original and derivative classification decisions. In\n       accordance wi th the SPM and Executive Order 13526, DCA officials arc required 10\n       receive annual training on their OCA responsibilities, in addition to receiving annual\n       classified National Security Infonnation (NS I) refresher training, which includes\n       classification marking requirements. The OCA and NSI refresher training are currently\n       available on various DOJ learning platfonns via compuler based training. The difference\n       between original and derivati ve classification is also detailed in the " DOJ Guide for\n       Original Classification Authorities." The SPMs have been instructed to provide Ihis\n       guide to their OCAs.\n\n\n\n\n                                                     63 \n\n\x0cMemorandum for Raymond J. Beaudet                                                       Page 3\nSubject: Audit of the Department of Justice\'s Implementation of\n          ational Security Information Classification Requirements\n\n       SEPS will ensure that component OCAs have either completed the above training onli ne\n       or othen.vise received training that meets the minimum standards of Executive Order\n       13526. Component SPMs with outstanding training requirements as of\n       September 30, 2013, will be noti fied via email that they have until December 3 1, 2013 to\n       ensure that their OCAs have received the appropriate training and that their OCAs\n       understand the difference between original and derivative classification decisions. An\n       acknowledgement statement \\vill also be required by the OCAs stating that they\n       understand original and deri vative classification decisions and how to properly mark\n       classified information according to the requirements of the classification deci sions.\n\n   4. Ensure that ODNl\'s ORCON-spcc ific training is promulgated to DOJ components\n      once it is issued and coordinate with the DEA Security Programs Manager and\n      officials representing aU DEA entities using the ORCON control marking to ensure\n      that DEA\'s usc of dissemination control markings is appropriate.\n\n       Agree. Within DOl, only the Federal Bureau of Investigation\'s (FBI) National Security\n       Branch and the Drug Enforcement Agency (DEA) Office of National Security\n       Intelligence are members of the Intelligence Community (lC), and are required to abide\n       by OD I guidelines and directives, in addition to those promulgated by the 001. These\n       sections ofthe FBI and DEA, as members of the IC, arc currently required by the DONI\n       to report on the use of ORCO as part of the annual reporting requirements outlined in\n       Inte lligence Community Directive (lCO) 710, Classification and Control Markings\n       System. It is our understanding that the OONI is current ly developing training that will\n       address the proper use, application, safeguarding, processes fo r dissemination, and\n       derivative usc of the ORCO marking. As IC members, this will be an 00 I directed\n       mandatory training requirement for the FBI ational Security Branch and the DEA\n       Office of National Security Intelligence.\n\n       By October 4,20 13, SEPS will contact DDNI for an estimated training completion date.\n       Once developed, SEPS will evaluate within 30 days of its completion the OONI training,\n       and will either choose to implement the training or work with the OONI to develop\n       within 90 days a similar version of the training that is appropriate to oors general\n       audience, including the OEA.\n\n   S. Ens ure that all DOJ components arc aware of and understand how to apply\n      classification resources and markings, in particular, security classi fication guides,\n      tbe Controlled Access Program Coo rdination Office (CA PCO) manual, and\n      required FISA-specific dissemination controls, as appropriate.\n\n      Agree. SEPS will convene a securi ty education working group consisting of component\n      SPMs, no later than November 15, 2013 to evaluate training requirements, standards, and\n      delivery methods. Training requirements and standards resulting from the efforts of thi s\n      working group will be dissem inated by March 28,20 14 to ensure 0 0 1 components arc\n      aware of, and understand how to apply classification resources and markings.\n\n\n\n\n                                               64 \n\n\x0cMemorandum for Raymond J. Beaudet                                                        Page 4\nSubject: Audit of the Department of Justice\' s Implementation of\n         National Security Infannatian Classification Requirements\n\n   6. Review ihe OOJ Ma rking Classified National Security Information guid e and\n      incorporate comprehensive instruction for marking all types of classified products,\n      including e-mail correspondence and meeting noles.\n\n       Agree. The purpose of the DOJ Marking Classified National Security Infannation Guide\n       is to provide employees with an overview of their personal ro les and responsibilities\n       regarding infonnation security. Specifically. it addresses what type ofinfonnation can be\n       classified, who makes classification decisions, and the proper mark ings to be used when\n       classified infonnation is contained in documents and media. The Guide was not\n       developed, nor is intended to be, all inclusive. Rather. in instances where users of the\n       Guide find it inadequate, they are advised to refer to the 32 C.F.R. Part 200 1, and other\n       Information Security Oversight Office (IS00) issuances for further clarifications. SPMs\n       are also to be consulted if users have questions.\n\n       Although the Guide docs currently contain guidance on email correspondence and\n       meeting notes that conforms to and meets the requirements of marking guidance provided\n       by the [SOO, by December 31 , 2013, SEPS will expand upon guidance in those areas\n       where this report has indicated a need for additional clarity.\n\n   7. Reinforce to DOJ components its requirement to include the specific item number of\n      the security cl ass ification guide used as the So urce of the derivative cl ass ification\n      decision and clarify that tbis is necessary for up to four line items when multiple line\n      Hems are used.\n\n       Agree. SEPS will revise the DOJ National Security Information Security Classification\n       Guide and infonn al l components with classification guides currently in use of this\n       identification requirement via email or in a meeting prior to December 31, 20 13. SEPS\n       will require components with classification guides to provide copies of this change and\n       identify how this change was communicated to users of the guide.\n\n   8. Evaluate the possibility of using automated classification tools throughout DOJ.\n\n      Agree. SEPS believes that an automated classification tool is greatly needed \\vithin the\n      DOl As such, SEPS will continue to evaluate the possibility of using automated\n      classification tools throughout DOJ. This is an ongoing and continuous process that\n      involves 001 Office of the Chief Information Officer (OCIO) and automated\n      classification tool providers. SEPS will provide an evaluation on the feasibi lity of using\n      automated classification tools throughout the DOJ by December 31,2013. This\n      evaluation will include expected costs and compatibi lity with ex isting systems.\n\n\n\n\n                                                 65 \n\n\x0cMemorandum for Raymond J. Beaudet                                                          Page 5\nSubject: Audit of the Department of Justice\'s Implementation of\n         National Security Information Classification Requirements\n\n   9. Determine wh at classified infrast ruci ure enhancements a re needed fo r DOJ\n       components, in particular those DOJ co mponents with fie ld offices tha t work with\n       Intelligencc Community (lC) agencies, to successfully use an d share appropr iate\n       types of class ified information.\n\n       Agree. SEPS wi ll continue to research besi practices regarding classified document\n       infon11ation sharing methodologies. Additional ly, if and when the IC deve lops guidance\n       designed to increase classified infonnation sharing, SEPS wi ll convey to all DOJ\n       components, through the SPMs, the guidance provided by the IC. SEPS wi ll also work\n       with the DOJ OCIO to determine enhancements needed for an exped ited and secure\n       sharing of classified information via a comprehensive classified systems infrastructure.\n       SEPS, in coordination with the OCIO, wi ll provide a feasibility study by June 30, 2014,\n       determining what classified enhancements are needed for DOJ components.\n\n   10. \\ Vo rk with DOJ components to enha nce class ification tra ining p rograms to ensure\n       t bal a ll personn cl a re a wa re of policies, procedures, and r eq uirements fo r\n       classify ing na tional security infor ma tion.\n\n       Agree. This is a continuous process within the Department. As mentioned in\n       Recommendation 5, SEPS will convene a security education working group no later than\n       November 15,2013 to evaluate training requ irements, standards, and delivery methods.\n\n   11. Establis h a policy for DO J co mponents in tbe Intelligence Comm unity to alert SEPS\n       to tbe cr eation a nd op er ation of a SAP within OOJ .\n\n      Agree. SEilS is in the process of reviewing and revising Chapter 11 of the SPOM\n      entitled "Special Access Programs." Once this review and revi sion is complete, the\n      Department Security Officer will noti fy Department components of the reporting\n      requirements pertaining to Special Access Programs. SEPS plans to have the policy\n      revision and accompanying notificat ion completed prior to March 28, 2014.\n\n   12. Evalu a te its oversight of the self-in spcctions process to ens ure tha t 00.1 prov ides\n       r eliab le infor mation in its reports to NARA \' s Information Security Oversight\n       O ffi ce.\n\n      Agree. SEPS provided self-inspection training to the SPMs and component\n      representatives in May 2013. The training included an overview of the self-inspection\n      requirements and a thorough review of the self-inspection check list. Self-inspection\n      results and check lists from 20 12 were provided to the SPMs in order to assist with the\n      2013 data call . SEPS conveyed its expectations fo r the components to coordi nate with\n      offices world-wide to obtain accurate data and to also develop internal se lf-inspection\n      programs to be conducted semi-annually, at a minimum.\n\n\n\n\n                                                66 \n\n\x0cMemorandum for Raymond J. Beaudet                                                         Page 6\nSubject: Audit of the Department of Justice\' s Implementation of\n         National Security lnformation Classification Requirements\n\n       SEPS continues to work closely with component representatives throughout the 1500\n       self-inspection data call process to cnsure accurate information is submitted. This is\n       accomplished by detai led telephone calls, e-mails, and meetings with representati ves\n       addressing the checklist requirements. If the component believes the self-inspection\n       program does not appl y, SEPS coordi nates with the appropriate officials 10 verify the\n       validity in their response and further coord ination and education is provided to the\n       component if the program does apply. Each submission is also thoroughly reviewed and\n       analyzed, taking into account the degree in wh ich the component handles classified\n       infonnation.\n\n       For the 2013 self-inspection data call. SEPS will take the necessary steps 10 ensure all\n       submissions are complete and accurate as possible. SEPS will thoroughly analyze each\n       response and any areas of discrepancy will be validated with the submitting component.\n       Additionally, component SPMs wi ll be required to state that their submissions to the\n       self-inspection data call are as accurate as possible to the best of their knowledge.\n\n   13. Review DOJ component\'s procedures for reporting compromises of classified\n       information and reinforce to Security Programs Managers the importa nce of\n       reporting compromises of classified informa tion to SEPS.\n\n       Agree. The reponing of securi ty incidents is reviewed by SEPS in coordination with the\n       DOJ\' s Security Operations Center (JSOC). This process involves an automated e-mail\n       noti fication fro m JSOC and a SEPS representative whenever a cl assified incident is\n       reponed by the components. Each incident is individually evaluated fo r fu nher SEPS\n       action.\n\n       An SPM training session for security incident reponing will be scheduled during FY\n       2014 and will reinforce the imponance of reponing the compromise of classified\n       infonnation. Representatives of SEPS have individually met with the SPM staff for the\n       FBI (most recently August 21 . 2013). USMS (July 9. 2013). and ATF (July 18. 2013) 10\n       reinforce the imponance of reponing compromises of classi fied infonnation. Lastly,\n       SEPS will draft a Department-wide instruction mandating incident report ing\n       requirements to further reinforce the importance of reporting compromises of classified\n       infonnatio n. It is SEPS intent to have this instruction drafted by June 30, 20 14, as this\n       wi ll involve in depth coordination with component SPMs and the DOJ OCIO.\n\n\n\n\n                                               67 \n\n\x0cMemorandum for Raymond J. Beaudet                                                         Page 7\nSubject: Audit of the Department of Justicc\'s Implementation of\n         Nationa! Security lnfannation Classification Requirements\n\n   14. Incorporate in the SPOM tbe procedures DOJ components arc required to follow\n       when transferring ownership of classified information and the requirements SEPS\n       must use to ensure that components follow this protocol.\n\n       Agree. SEPS will update the SPOM or send out a policy memorandum to reOeet\n       language contained in 32 CFR Part 200 1 by December 31, 2013. Transferring ownership\n       of records, classified and unclassified is the responsibility of component records officers.\n       44 U.S.C. 2908 states that the Archivist of the United States shall promulgate regulations\n       governing the transfer of records from the custody of one executive agency to that of\n       another; and 36 CFR Part 123 1 provides regu lations that apply to records officers\n       transferring records from the custody of one executive agency to another.\n\nI am committed to a strong and effecti ve ciassification management program, both in tenns of\nimproving our guidance and in tenns of having DOJ components ensure their own classification\nactions are being correctly perfonned.\n\nI appreciate ine opportunity to comment on the repon and convey the steps being taken to\nimplement your recommendations. Should you have any questions or require add itional\ninformation, please contact James L. Dunlap, Department Security Officer, at (202) 514-2094.\n\n\n\n\n                                               68 \n\n\x0c                                                            APPENDIX IV \n\n\n              OFFICE OF THE INSPECTOR GENERAL \n\n             ANALYSIS AND SUMMARY OF ACTIONS\n\n               NECESSARY TO CLOSE THE REPORT\n\n\n       The OIG provided a draft of this audit report to the Justice\nManagement Division (JMD). JMD\xe2\x80\x99s response is incorporated in Appendix III\nof this final report. The following provides the OIG analysis of the response\nand summary of actions necessary to close the report.\n\nRecommendation Number:\n\n1.\t   Resolved. JMD concurred with our recommendation to explain to DOJ\n      components the importance of reducing the number of Original\n      Classification Authority (OCA) officials and have Department of Justice\n      (DOJ) components re-examine their number of OCA officials. JMD\n      stated in its response that the Security and Emergency Planning Staff\n      (SEPS) will continue to work with DOJ components to ensure that OCA\n      delegations are limited to the minimum necessary to administer\n      Executive Order 13526, as required by the Security Program Operating\n      Manual (SPOM). In addition, the Department Security Officer will\n      notify all DOJ Security Programs Managers (with delegated OCA\n      officials) of the importance of reducing the number of OCA officials and\n      will instruct the components to re-examine their OCA delegations for\n      possible reductions.\n\n      This recommendation can be closed when we receive evidence that\n      SEPS has provided instruction to DOJ components on the importance\n      of limiting their number of OCA officials and that DOJ components\n      have re-examined their OCA delegations.\n\n2.\t   Resolved. JMD concurred with our recommendation to review all DOJ\n      security classification guides and work with Security Programs\n      Managers and OCA officials to identify and reduce redundancies to\n      ensure that instructions are clear, precise, consistent, and provide\n      derivative classifiers with sufficient information to make accurate\n      classification decisions. JMD stated in its response that SEPS is\n      currently working with the National Security Division and the United\n      States Marshals Services (USMS) to ensure that the DOJ National\n      Security Information Security Classification Guide is updated and\n      revised to meet the requirements and needs of those components. In\n      addition, JMD stated that SEPS will establish a Security Classification\n      Guide Working Group to review and resolve issues in all DOJ security\n      classification guides.\n\n\n                                     69 \n\n\x0c      This recommendation can be closed when we receive evidence that\n      SEPS has updated the DOJ National Security Information Security\n      Classification Guide to include National Security Division and USMS\n      classification requirements. In addition, please provide evidence that\n      SEPS, in coordination with the Security Classification Guide Working\n      Group, reviewed and resolved security classification guide issues,\n      including redundancies and inconsistent instructions.\n\n3.\t   Resolved. JMD concurred with our recommendation to work with DOJ\n      component Security Programs Managers to ensure that OCA officials\n      understand the difference between original and derivative classification\n      decisions and properly mark classified information according to the\n      proper requirements of the classification decisions. In its response,\n      JMD stated that OCA officials are required to receive annual National\n      Security Information training and review the \xe2\x80\x9cDOJ Guide for Original\n      Classification Authorities,\xe2\x80\x9d both of which include information on\n      classification marking requirements and the difference between\n      original and derivative classification decisions. In addition, JMD stated\n      that SEPS will ensure that DOJ OCA officials have completed the\n      annual training requirements. JMD further stated that SEPS will\n      require DOJ OCA officials to formally acknowledge that they\n      understand the difference between original and derivative classification\n      decisions and how to properly mark classified information.\n\n      This recommendation can be closed when we receive evidence that all\n      OCA officials have received National Security Information training and\n      have provided the acknowledgement that they understand the\n      difference between original and derivative classification decisions and\n      how to properly mark classified information.\n\n4.\t   Resolved. JMD concurred with our recommendation to ensure that\n      Office of the Director of National Intelligence\xe2\x80\x99s (ODNI) Originator\n      Controlled (ORCON) specific training is promulgated to DOJ\n      components once it is issued and to coordinate with the Drug\n      Enforcement Administration (DEA) Security Programs Manager and\n      officials representing all DEA entities using the ORCON control\n      markings to ensure that DEA\xe2\x80\x99s use of dissemination control markings is\n      appropriate. In its response, JMD stated that as members of the\n      Intelligence Community, the Federal Bureau of Investigation\xe2\x80\x99s (FBI)\n      National Security Branch and DEA\xe2\x80\x99s Office of National Security\n      Intelligence are required to report to ODNI on their use of ORCON.\n      JMD further stated that ODNI is developing training that will address\n      the proper use, application, safeguarding, dissemination process, and\n\n                                      70 \n\n\x0c      derivative use of the ORCON marking. The FBI National Security\n      Branch and the DEA Office of National Security Intelligence will be\n      required to take this training. JMD further explained that once ODNI\n      develops the ORCON marking training, SEPS will evaluate the training\n      to determine if it will implement the training or coordinate with ODNI\n      to develop more appropriate ORCON-specific training for DOJ\xe2\x80\x99s general\n      audience, including the DEA.\n\n      This recommendation can be closed when we receive evidence that\n      SEPS has either implemented ODNI\xe2\x80\x99s ORCON-specific training for DOJ\n      components or developed a more appropriate ORCON-specific training\n      for DOJ components. In addition, please provide evidence that SEPS\n      has coordinated with the DEA Security Programs Manager and officials\n      representing all DEA entities using the ORCON control markings to\n      ensure that DEA\xe2\x80\x99s use of dissemination control markings is\n      appropriate.\n\n5.\t   Resolved. JMD concurred with our recommendation to ensure that all\n      DOJ components are aware of and understand how to apply\n      classification resources and markings, in particular, security\n      classification guides, the Controlled Access Program Coordination\n      Office (CAPCO) manual, and required Foreign Intelligence Surveillance\n      Act (FISA) specific dissemination controls, as appropriate. In its\n      response, JMD stated that SEPS will establish a Security Education\n      Working Group, comprised of DOJ component Security Programs\n      Managers, to evaluate training requirements, standards, and delivery\n      methods. JMD further stated that SEPS will disseminate the revised\n      training requirements and standards to ensure DOJ components are\n      aware of and understand how to apply classification resources and\n      markings.\n\n      This recommendation can be closed when we receive evidence that\n      SEPS has developed and disseminated to DOJ components training\n      requirements and standards on how to apply classification resources\n      and markings, in particular, security classification guides, the CAPCO\n      manual, and required FISA-specific dissemination controls.\n\n6.\t   Resolved. JMD concurred with our recommendation to review the\n      DOJ Marking Classified National Security Information Guide and\n      incorporate comprehensive instruction for marking all types of\n      classified products, including e-mail correspondence and meeting\n      notes. In its response, JMD stated that the DOJ Marking Classified\n      National Security Information Guide was not developed to be all\n      inclusive. However, JMD stated that SEPS will expand upon the\n\n                                     71 \n\n\x0c      guidance in the DOJ Marking Classified National Security Information\n      Guide for marking classified e-mail correspondence and meeting notes.\n\n      This recommendation can be closed when we receive evidence that\n      SEPS has provided comprehensive instruction for marking all types of\n      classified products, including e-mail correspondence and meeting\n      notes.\n\n7.\t   Resolved. JMD concurred with our recommendation to reinforce to\n      DOJ components its requirement to include the specific item number of\n      the security classification guide used as the source of the derivative\n      classification decision and clarify that this is necessary for up to four\n      line items when multiple line items are used. In its response, JMD\n      stated that SEPS will revise the DOJ National Security Information\n      Security Classification Guide and inform all components of this\n      requirement. In addition, JMD stated that SEPS will require DOJ\n      components with security classification guides to provide copies of this\n      change and identify how this change was communicated to users of\n      the component-specific security classification guides.\n\n      This recommendation can be closed when we receive evidence that\n      SEPS has revised the DOJ National Security Information Security\n      Classification Guide to include the item number identification\n      requirement. In addition, please provide evidence that this\n      requirement was included in all DOJ security classification guides and\n      communicated to the users of those security classification guides.\n\n8.\t   Resolved. JMD concurred with our recommendation to evaluate the\n      possibility of using automated classification tools throughout DOJ.\n      JMD stated in its response that SEPS will coordinate with DOJ\xe2\x80\x99s Office\n      of the Chief Information Officer and automated classification tool\n      providers to evaluate the feasibility of using automated classification\n      tools throughout DOJ.\n\n      This recommendation can be closed when we receive evidence that\n      SEPS has conducted an evaluation on the feasibility of using\n      automated classification tools throughout DOJ.\n\n9.\t   Resolved. JMD concurred with our recommendation to determine\n      what classified infrastructure enhancements are needed for DOJ\n      components, in particular those DOJ components with field offices that\n      work with Intelligence Community agencies, to successfully use and\n      share appropriate types of classified information. In its response, JMD\n      stated that SEPS will research best practices regarding classified\n\n                                      72 \n\n\x0c     document information sharing methodologies. Additionally, JMD\n     stated that SEPS will work with DOJ\xe2\x80\x99s Office of the Chief Information\n     Officer to determine enhancements needed for a comprehensive\n     classified systems infrastructure to expedite the sharing of classified\n     information. SEPS will provide a feasibility study regarding these\n     enhancements.\n\n     This recommendation can be closed when we receive evidence that\n     SEPS has identified and communicated to DOJ components classified\n     information sharing best practices. In addition, please provide\n     evidence that SEPS conducted an evaluation of DOJ\xe2\x80\x99s classified\n     systems infrastructure to determine what enhancements are needed\n     for DOJ components to successfully use and share appropriate types of\n     classified information.\n\n10.\t Resolved. JMD concurred with our recommendation to work with DOJ\n     components to enhance classification training programs to ensure that\n     all personnel are aware of policies, procedures, and requirements for\n     classifying national security information. In its response, JMD stated\n     that SEPS will establish a Security Education Working Group,\n     comprised of Security Programs Managers from each DOJ component,\n     to evaluate training requirements, standards, and delivery methods.\n\n     This recommendation can be closed when we receive evidence that\n     SEPS has established the Security Education Working Group and\n     enhanced classification training programs to ensure that all personnel\n     are aware of policies, procedures, and requirements for classifying\n     national security information.\n\n11.\t Resolved. JMD concurred with our recommendation to establish a\n     policy for DOJ components to alert SEPS to participation in Special\n     Access Programs that are overseen by the Intelligence Community. In\n     its response, JMD stated that SEPS will review and revise Chapter 11\n     of the SPOM entitled \xe2\x80\x9cSpecial Access Programs.\xe2\x80\x9d In addition, JMD\n     stated that once SEPS completes the revisions, the Department\n     Security Officer will notify DOJ components of the reporting\n     requirements pertaining to Special Access Programs.\n\n     This recommendation can be closed when we receive evidence that\n     SEPS has revised the SPOM to include a policy for DOJ components to\n     alert SEPS to participation in Special Access Programs that are\n     overseen by the Intelligence Community. In addition, please provide\n     evidence that the Department Security Officer has notified DOJ\n     components of the new reporting requirements.\n\n                                     73 \n\n\x0c12.\t Resolved. JMD concurred with our recommendation to evaluate its\n     oversight of the self-inspections process to ensure that DOJ improves\n     the reliability of information in its reports to NARA\xe2\x80\x99s Information\n     Security Oversight Office. In its response, JMD stated that in\n     May 2013, SEPS provided self-inspection training to DOJ component\n     representatives and Security Programs Managers. This training\n     included an overview of the self-inspection requirements and a\n     thorough review of the self-inspection checklist. In addition, JMD\n     stated that SEPS will take the necessary steps to help ensure the\n     validity and completeness of component-submitted self-inspection\n     data. Moreover, JMD stated that SEPS will also require component\n     Security Programs Managers to state that their submissions of self-\n     inspection data are as accurate as possible.\n\n     This recommendation can be closed when we receive evidence that\n     SEPS has conducted self-inspection training with DOJ component\n     Security Program Managers and representatives. In addition, please\n     provide evidence that SEPS conducted a thorough review of the\n     FY 2013 self-inspection submissions and coordinated with DOJ\n     components to verify the validity and completeness of the information.\n\n13.\t Resolved. JMD concurred with our recommendation to review DOJ\n     component\xe2\x80\x99s procedures for reporting compromises of classified\n     information and reinforce to Security Programs Managers the\n     importance of reporting compromises of classified information to SEPS.\n     In its response, JMD stated that during July and August 2013, SEPS\n     representatives met with security personnel at FBI, USMS, and the\n     Bureau of Alcohol, Tobacco, Firearms and Explosives to reinforce the\n     importance of reporting compromises of classified information.\n     Moreover, JMD stated that during FY 2014, SEPS will conduct a\n     training session for all DOJ Security Programs Managers to reinforce\n     the importance of reporting the compromise of classified information.\n     In addition, JMD stated that SEPS will coordinate with Security\n     Programs Managers and the DOJ Office of the Chief Information Officer\n     to issue a Department-wide instruction mandating incident reporting\n     requirements.\n\n     This recommendation can be closed when we receive evidence that\n     SEPS has reviewed DOJ components\xe2\x80\x99 procedures for reporting\n     compromises of classified information and reinforced to Security\n     Programs Managers the importance of reporting compromises of\n     classified information to SEPS.\n\n\n                                    74 \n\n\x0c14.\t Resolved. JMD concurred with our recommendation to incorporate in\n     the SPOM a reference to the procedures DOJ components are required\n     to follow when transferring ownership of classified information. In its\n     response, JMD stated that SEPS will update the SPOM or send out a\n     policy memorandum to reflect language discussing the transferring of\n     ownership of records language contained in 32 C.F.R. Part 2001.\n\n     This recommendation can be closed when we receive evidence that\n     SEPS has either updated the SPOM or sent out a policy memorandum\n     discussing the procedures for DOJ components to follow when\n     transferring ownership of classified information.\n\n\n\n\n                                     75 \n\n\x0c'